tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 3585

 
 
 

IPsec Configuration Policy Information Model

Part 4 of 4, p. 79 to 88
Prev RFC Part

 


prevText      Top      Up      ToC       Page 79 
9. Implementation Requirements

   The following table specifies which classes, properties, associations
   and aggregations MUST or SHOULD or MAY be implemented.

   4. Policy Classes
   4.1. The Class SARule..........................................MUST
   4.1.1. The Property PolicyRuleName..............................MAY
   4.1.1. The Property Enabled....................................MUST
   4.1.1. The Property ConditionListType..........................MUST
   4.1.1. The Property RuleUsage...................................MAY
   4.1.1. The Property Mandatory...................................MAY
   4.1.1. The Property SequencedActions...........................MUST

Top      Up      ToC       Page 80 
   4.1.1. The Property PolicyRoles.................................MAY
   4.1.1. The Property PolicyDecisionStrategy......................MAY
   4.1.2  The Property ExecutionStrategy..........................MUST
   4.1.3  The Property LimitNegotiation............................MAY
   4.2. The Class IKERule.........................................MUST
   4.2.1. The Property IdentityContexts............................MAY
   4.3. The Class IPsecRule.......................................MUST
   4.4. The Association Class IPsecPolicyForEndpoint...............MAY
   4.4.1. The Reference Antecedent................................MUST
   4.4.2. The Reference Dependent.................................MUST
   4.5. The Association Class IPsecPolicyForSystem.................MAY
   4.5.1. The Reference Antecedent................................MUST
   4.5.2. The Reference Dependent.................................MUST
   4.6. The Aggregation Class SAConditionInRule...................MUST
   4.6.1. The Property GroupNumber..............................SHOULD
   4.6.1. The Property ConditionNegated.........................SHOULD
   4.6.2. The Reference GroupComponent............................MUST
   4.6.3. The Reference PartComponent.............................MUST
   4.7. The Aggregation Class PolicyActionInSARule................MUST
   4.7.1. The Reference GroupComponent............................MUST
   4.7.2. The Reference PartComponent.............................MUST
   4.7.3. The Property ActionOrder..............................SHOULD
   5. Condition and Filter Classes
   5.1. The Class SACondition.....................................MUST
   5.2. The Class IPHeadersFilter...............................SHOULD
   5.3. The Class CredentialFilterEntry............................MAY
   5.3.1. The Property MatchFieldName.............................MUST
   5.3.2. The Property MatchFieldValue............................MUST
   5.3.3. The Property CredentialType.............................MUST
   5.4. The Class IPSOFilterEntry..................................MAY
   5.4.1. The Property MatchConditionType.........................MUST
   5.4.2. The Property MatchConditionValue........................MUST
   5.5. The Class PeerIDPayloadFilterEntry.........................MAY
   5.5.1. The Property MatchIdentityType..........................MUST
   5.5.2. The Property MatchIdentityValue.........................MUST
   5.6. The Association Class FilterOfSACondition...............SHOULD
   5.6.1. The Reference Antecedent................................MUST
   5.6.2. The Reference Dependent.................................MUST
   5.7. The Association Class AcceptCredentialFrom.................MAY
   5.7.1. The Reference Antecedent................................MUST
   5.7.2. The Reference Dependent.................................MUST
   6. Action Classes
   6.1. The Class SAAction........................................MUST
   6.1.1. The Property DoActionLogging.............................MAY
   6.1.2. The Property DoPacketLogging.............................MAY
   6.2. The Class SAStaticAction..................................MUST
   6.2.1. The Property LifetimeSeconds............................MUST
   6.3. The Class IPsecBypassAction.............................SHOULD

Top      Up      ToC       Page 81 
   6.4. The Class IPsecDiscardAction............................SHOULD
   6.5. The Class IKERejectAction..................................MAY
   6.6. The Class PreconfiguredSAAction...........................MUST
   6.6.1. The Property LifetimeKilobytes..........................MUST
   6.7. The Class PreconfiguredTransportAction....................MUST
   6.8. The Class PreconfiguredTunnelAction.......................MUST
   6.8.1. The Property DFHandling.................................MUST
   6.9. The Class SANegotiationAction.............................MUST
   6.10. The Class IKENegotiationAction...........................MUST
   6.10.1. The Property MinLifetimeSeconds.........................MAY
   6.10.2. The Property MinLifetimeKilobytes.......................MAY
   6.10.3. The Property IdleDurationSeconds........................MAY
   6.11. The Class IPsecAction....................................MUST
   6.11.1. The Property UsePFS....................................MUST
   6.11.2. The Property UseIKEGroup................................MAY
   6.11.3. The Property GroupId...................................MUST
   6.11.4. The Property Granularity.............................SHOULD
   6.11.5. The Property VendorID...................................MAY
   6.12. The Class IPsecTransportAction...........................MUST
   6.13. The Class IPsecTunnelAction..............................MUST
   6.13.1. The Property DFHandling................................MUST
   6.14. The Class IKEAction......................................MUST
   6.14.1. The Property ExchangeMode  ............................MUST
   6.14.2. The Property UseIKEIdentityType........................MUST
   6.14.3. The Property VendorID...................................MAY
   6.14.4. The Property AggressiveModeGroupId......................MAY
   6.15. The Class PeerGateway....................................MUST
   6.15.1. The Property Name....................................SHOULD
   6.15.2. The Property PeerIdentityType..........................MUST
   6.15.3. The Property PeerIdentity..............................MUST
   6.16. The Association Class PeerGatewayForTunnel...............MUST
   6.16.1. The Reference Antecedent...............................MUST
   6.16.2. The Reference Dependent................................MUST
   6.16.3. The Property SequenceNumber..........................SHOULD
   6.17. The Aggregation Class ContainedProposal..................MUST
   6.17.1. The Reference GroupComponent...........................MUST
   6.17.2. The Reference PartComponent............................MUST
   6.17.3. The Property SequenceNumber............................MUST
   6.18. The Association Class HostedPeerGatewayInformation........MAY
   6.18.1. The Reference Antecedent...............................MUST
   6.18.2. The Reference Dependent................................MUST
   6.19. The Association Class TransformOfPreconfiguredAction.....MUST
   6.19.1. The Reference Antecedent...............................MUST
   6.19.2. The Reference Dependent................................MUST
   6.19.3. The Property SPI.......................................MUST
   6.19.4. The Property Direction.................................MUST
   6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
   6.20.1. The Reference Antecedent...............................MUST

Top      Up      ToC       Page 82 
   6.20.2. The Reference Dependent................................MUST
   7. Proposal and Transform Classes
   7.1. The Abstract Class SAProposal.............................MUST
   7.1.1. The Property Name.....................................SHOULD
   7.2 The Class IKEProposal......................................MUST
   7.2.1. The Property CipherAlgorithm............................MUST
   7.2.2. The Property HashAlgorithm..............................MUST
   7.2.3. The Property PRFAlgorithm................................MAY
   7.2.4. The Property GroupId....................................MUST
   7.2.5. The Property AuthenticationMethod.......................MUST
   7.2.6. The Property MaxLifetimeSeconds.........................MUST
   7.2.7. The Property MaxLifetimeKilobytes.......................MUST
   7.2.8. The Property VendorID....................................MAY
   7.3. The Class IPsecProposal...................................MUST
   7.4. The Abstract Class SATransform............................MUST
   7.4.1. The Property TransformName............................SHOULD
   7.4.2. The Property VendorID....................................MAY
   7.4.3. The Property MaxLifetimeSeconds.........................MUST
   7.4.4. The Property MaxLifetimeKilobytes.......................MUST
   7.5. The Class AHTransform.....................................MUST
   7.5.1. The Property AHTransformId..............................MUST
   7.5.2. The Property UseReplayPrevention.........................MAY
   7.5.3. The Property ReplayPreventionWindowSize..................MAY
   7.6. The Class ESPTransform....................................MUST
   7.6.1. The Property IntegrityTransformId.......................MUST
   7.6.2. The Property CipherTransformId..........................MUST
   7.6.3. The Property CipherKeyLength.............................MAY
   7.6.4. The Property CipherKeyRounds.............................MAY
   7.6.5. The Property UseReplayPrevention.........................MAY
   7.6.6. The Property ReplayPreventionWindowSize..................MAY
   7.7. The Class IPCOMPTransform..................................MAY
   7.7.1. The Property Algorithm..................................MUST
   7.7.2. The Property DictionarySize..............................MAY
   7.7.3. The Property PrivateAlgorithm............................MAY
   7.8. The Association Class SAProposalInSystem...................MAY
   7.8.1. The Reference Antecedent................................MUST
   7.8.2. The Reference Dependent.................................MUST
   7.9. The Aggregation Class ContainedTransform..................MUST
   7.9.1. The Reference GroupComponent............................MUST
   7.9.2. The Reference PartComponent.............................MUST
   7.9.3. The Property SequenceNumber.............................MUST
   7.10. The Association Class SATransformInSystem.................MAY
   7.10.1. The Reference Antecedent...............................MUST
   7.10.2. The Reference Dependent................................MUST
   8. IKE Service and Identity Classes
   8.1. The Class IKEService.......................................MAY
   8.2. The Class PeerIdentityTable................................MAY
   8.3.1. The Property Name.....................................SHOULD

Top      Up      ToC       Page 83 
   8.3. The Class PeerIdentityEntry................................MAY
   8.3.1. The Property PeerIdentity.............................SHOULD
   8.3.2. The Property PeerIdentityType.........................SHOULD
   8.3.3. The Property PeerAddress..............................SHOULD
   8.3.4. The Property PeerAddressType..........................SHOULD
   8.4. The Class AutostartIKEConfiguration........................MAY
   8.5. The Class AutostartIKESetting..............................MAY
   8.5.1. The Property Phase1Only..................................MAY
   8.5.2. The Property AddressType..............................SHOULD
   8.5.3. The Property SourceAddress..............................MUST
   8.5.4. The Property SourcePort.................................MUST
   8.5.5. The Property DestinationAddress.........................MUST
   8.5.6. The Property DestinationPort............................MUST
   8.5.7. The Property Protocol...................................MUST
   8.6. The Class IKEIdentity......................................MAY
   8.6.1. The Property IdentityType...............................MUST
   8.6.2. The Property IdentityValue..............................MUST
   8.6.3. The Property IdentityContexts............................MAY
   8.7. The Association Class HostedPeerIdentityTable..............MAY
   8.7.1. The Reference Antecedent................................MUST
   8.7.2. The Reference Dependent.................................MUST
   8.8. The Aggregation Class PeerIdentityMember...................MAY
   8.8.1. The Reference Collection................................MUST
   8.8.2. The Reference Member....................................MUST
   8.9. The Association Class IKEServicePeerGateway................MAY
   8.9.1. The Reference Antecedent................................MUST
   8.9.2. The Reference Dependent.................................MUST
   8.10. The Association Class IKEServicePeerIdentityTable.........MAY
   8.10.1. The Reference Antecedent...............................MUST
   8.10.2. The Reference Dependent................................MUST
   8.11. The Association Class IKEAutostartSetting.................MAY
   8.11.1. The Reference Element..................................MUST
   8.11.2. The Reference Setting..................................MUST
   8.12. The Aggregation Class AutostartIKESettingContext..........MAY
   8.12.1. The Reference Context..................................MUST
   8.12.2. The Reference Setting..................................MUST
   8.12.3. The Property SequenceNumber..........................SHOULD
   8.13. The Association Class IKEServiceForEndpoint...............MAY
   8.13.1. The Reference Antecedent...............................MUST
   8.13.2. The Reference Dependent................................MUST
   8.14. The Association Class IKEAutostartConfiguration...........MAY
   8.14.1. The Reference Antecedent...............................MUST
   8.14.2. The Reference Dependent................................MUST
   8.14.3. The Property Active..................................SHOULD
   8.15. The Association Class IKEUsesCredentialManagementService..MAY
   8.15.1. The Reference Antecedent...............................MUST
   8.15.2. The Reference Dependent................................MUST
   8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY

Top      Up      ToC       Page 84 
   8.16.1. The Reference Antecedent...............................MUST
   8.16.2. The Reference Dependent................................MUST
   8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
   8.17.1. The Reference Antecedent...............................MUST
   8.17.2. The Reference Dependent................................MUST
   8.18. The Association Class IKEIdentitysCredential..............MAY
   8.18.1. The Reference Antecedent...............................MUST
   8.18.2. The Reference Dependent................................MUST

10. Security Considerations

   This document only describes an information model for IPsec policy.
   It does not detail security requirements for storage or delivery of
   said information.

   Physical models derived from this information model MUST implement
   the relevant security for storage and delivery.  Most of the classes
   (e.g., IpHeadersFilter, SAAction,...) MUST at least provided the
   integrity service; other pieces of information MUST also receive the
   confidentiality service (e.g., SharedSecret as described in the
   classes PeerIdentityEntry and PreconfiguredSAAction).

11. Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

Top      Up      ToC       Page 85 
12. References

12.1. Normative References

   [COMP]       Shacham, A., Monsour, B., Pereira, R. and M. Thomas, "IP
                Payload Compression Protocol (IPComp)", RFC 3173,
                September 2001.

   [ESP]        Kent, S. and R. Atkinson, "IP Encapsulating Security
                Payload (ESP)", RFC 2406, November 1998.

   [AH]         Kent, S. and R. Atkinson, "IP Authentication Header",
                RFC 2402, November 1998.

   [DOI]        Piper, D., "The Internet IP Security Domain of
                Interpretation for ISAKMP", RFC 2407, November 1998.

   [IKE]        Harkins, D. and D. Carrel, "The Internet Key Exchange
                (IKE)", RFC 2409, November 1998.

   [PCIM]       Moore, B., Ellesson, E., Strassner, J. and A.
                Westerinen, "Policy Core Information Model -- Version 1
                Specification", RFC 3060, February 2001.

   [PCIME]      Moore, B., Editor, "Policy Core Information Model (PCIM)
                Extensions", RFC 3460, January 2003.

   [KEYWORDS]   Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

   [CIMCORE]    DMTF Common Information Model - Core Model v2.5 which
                can be found at
                http://www.dmtf.org/standards/CIM_Schema25/
                CIM_Core25.mof

   [CIMUSER]    DMTF Common Information Model - User-Security Model v2.5
                which can be found at
                http://www.dmtf.org/standards/CIM_Schema25/
                CIM_User25.mof

   [CIMNETWORK] DMTF Common Information Model - Network Model v2.5
                which can be found at
                http://www.dmtf.org/standards/CIM_Schema25/
                CIM_Network25.mof

   [IPSO]       Kent, S., "U.S. Department of Defense Security Options
                for the Internet Protocol", RFC 1108, November 1991.

Top      Up      ToC       Page 86 
   [IPSEC]      Kent, S. and R. Atkinson, "Security Architecture for the
                Internet Protocol", RFC 2401, November 1998.

12.2. Informative References

   [LDAP]       Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
                Access Protocol (v3)", RFC 2251, December 1997.

   [COPS]       Durham, D., Ed., Boyle, J., Cohen, R., Herzog, S.,
                Rajan, R. and A. Sastry, "The COPS (Common Open Policy
                Service) Protocol", RFC 2748, January 2000.

   [COPSPR]     Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie,
                K., Herzog, S., Reichmeyer, R., Yavatkar, R. and A.
                Smith, "COPS Usage for Policy Provisioning (COPS-PR)",
                RFC 3084, March 2001.

   [DMTF]       Distributed Management Task Force, http://www.dmtf.org/

13. Disclaimer

   The views and specification herein are those of the authors and are
   not necessarily those of their employer.  The authors and their
   employer specifically disclaim responsibility for any problems
   arising from correct or incorrect implementation or use of this
   specification.

14. Acknowledgments

   The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for
   their contributions to this IPsec policy model.

   Additionally, this document would not have been possible without the
   preceding IPsec schema documents.  For that, thanks go out to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

Top      Up      ToC       Page 87 
15. Authors' Addresses

   Jamie Jason
   Intel Corporation
   MS JF3-206
   2111 NE 25th Ave.
   Hillsboro, OR 97124

   EMail: jamie.jason@intel.com


   Lee Rafalow
   IBM Corporation, BRQA/502
   4205 So. Miami Blvd.
   Research Triangle Park, NC 27709

   EMail: rafalow@watson.ibm.com


   Eric Vyncke
   Cisco Systems
   7 De Kleetlaan
   B-1831 Diegem
   Belgium

   EMail: evyncke@cisco.com

Top      Up      ToC       Page 88 
16. Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.