Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 3585

IPsec Configuration Policy Information Model

Pages: 88
Proposed Standard
Part 3 of 4 – Pages 50 to 79
First   Prev   Next

Top   ToC   RFC3585 - Page 50   prevText

7. Proposal and Transform Classes

The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations. +--------------+*w 1+--------------+ | [SAProposal] |--------| System | +--------------+ (a) | ([CIMCORE]) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o | |(b) |(c) n| | +---------------+*w | | [SATransform] |----+ +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+ (a) SAProposalInSystem (b) ContainedTransform (c) SATransformInSystem

7.1. The Abstract Class SAProposal

The abstract class SAProposal serves as the base class for the IKE and IPsec proposal classes. It specifies the parameters that are common to the two proposal types. The class definition for SAProposal is as follows: NAME SAProposal DESCRIPTION Specifies the common proposal parameters for IKE and IPsec security association negotiation. DERIVED FROM Policy ([PCIM]) ABSTRACT TRUE PROPERTIES Name
Top   ToC   RFC3585 - Page 51

7.1.1. The Property Name

The property Name specifies a user-friendly name for the SAProposal. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this proposal. SYNTAX string

7.2. The Class IKEProposal

The class IKEProposal specifies the proposal parameters necessary to drive an IKE security association negotiation. The class definition for IKEProposal is as follows: NAME IKEProposal DESCRIPTION Specifies the proposal parameters for IKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod MaxLifetimeSeconds MaxLifetimeKilobytes VendorID

7.2.1. The Property CipherAlgorithm

The property CipherAlgorithm specifies the proposed phase 1 security association encryption algorithm. The property is defined as follows: NAME CipherAlgorithm DESCRIPTION Specifies the proposed encryption algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
Top   ToC   RFC3585 - Page 52

7.2.2. The Property HashAlgorithm

The property HashAlgorithm specifies the proposed phase 1 security association hash algorithm. The property is defined as follows: NAME HashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.

7.2.3. The Property PRFAlgorithm

The property PRFAlgorithm specifies the proposed phase 1 security association pseudo-random function. The property is defined as follows: NAME PRFAlgorithm DESCRIPTION Specifies the proposed pseudo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined in [IKE], if [IKE, DOI] are extended, then the values of [IKE, DOI] are to be used for values of PRFAlgorithm.

7.2.4. The Property GroupId

The property GroupId specifies the proposed phase 1 security association key exchange group. This property is ignored for all aggressive mode exchanges. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposed key exchange group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values. Note: The value of this property is to be ignored in aggressive mode.
Top   ToC   RFC3585 - Page 53

7.2.5. The Property AuthenticationMethod

The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAME AuthenticationMethod DESCRIPTION Specifies the proposed authentication method for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE 0 - a special value that indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed that includes a proposal that specifies a pre-shared key and proposals for any of the public-key authentication methods. Consult [IKE] for valid values.

7.2.6. The Property MaxLifetimeSeconds

The property MaxLifetimeSeconds specifies the proposed maximum time, in seconds, that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the proposed maximum time that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.

7.2.7. The Property MaxLifetimeKilobytes

The property MaxLifetimeKilobytes specifies the proposed maximum kilobyte lifetime that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies the proposed maximum kilobyte lifetime that a security association will remain valid. SYNTAX unsigned 64-bit integer
Top   ToC   RFC3585 - Page 54
      VALUE        A value of zero indicates that there should be no
                   maximum kilobyte lifetime.  A non-zero value
                   specifies the desired kilobyte lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

7.2.8. The Property VendorID

The property VendorID further qualifies the key exchange group. The property is ignored unless the exchange is not in aggressive mode and the property GroupID is in the vendor-specific range. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the Vendor ID to further qualify the key exchange group. SYNTAX string

7.3. The Class IPsecProposal

The class IPsecProposal adds no new properties, but inherits proposal properties from SAProposal, as well as aggregating the security association transforms necessary for building an IPsec proposal (see the aggregation class ContainedTransform). The class definition for IPsecProposal is as follows: NAME IPsecProposal DESCRIPTION Specifies the proposal parameters for IPsec security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE

7.4. The Abstract Class SATransform

The abstract class SATransform serves as the base class for the IPsec transforms that can be used to compose an IPsec proposal or to be used as a pre-configured action. The class definition for SATransform is as follows: NAME SATransform DESCRIPTION Base class for the different IPsec transforms. ABSTRACT TRUE PROPERTIES CommonName (from Policy) VendorID MaxLifetimeSeconds MaxLifetimeKilobytes
Top   ToC   RFC3585 - Page 55

7.4.1. The Property CommonName

The property CommonName is inherited from Policy [PCIM] and specifies a user-friendly name for the SATransform. The property is defined as follows: NAME CommonName DESCRIPTION Specifies a user-friendly name for this Policy- related object. SYNTAX string

7.4.2. The Property VendorID

The property VendorID specifies the vendor ID for vendor-defined transforms. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string VALUE An empty VendorID string indicates that the transform is a standard one.

7.4.3. The Property MaxLifetimeSeconds

The property MaxLifetimeSeconds specifies the proposed maximum time, in seconds, that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the proposed maximum time that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.

7.4.4. The Property MaxLifetimeKilobytes

The property MaxLifetimeKilobytes specifies the proposed maximum kilobyte lifetime that a security association will remain valid after its creation. The property is defined as follows:
Top   ToC   RFC3585 - Page 56
      NAME         MaxLifetimeKilobytes
      DESCRIPTION  Specifies the proposed maximum kilobyte lifetime
                   that a security association will remain valid.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that there should be no
                   maximum kilobyte lifetime.  A non-zero value
                   specifies the desired kilobyte lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

7.5. The Class AHTransform

The class AHTransform specifies the AH algorithm to propose during IPsec security association negotiation. The class definition for AHTransform is as follows: NAME AHTransform DESCRIPTION Specifies the proposed AH algorithm. ABSTRACT FALSE PROPERTIES AHTransformId UseReplayPrevention ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

The property AHTransformId specifies the transform ID of the AH algorithm. The property is defined as follows: NAME AHTransformId DESCRIPTION Specifies the transform ID of the AH algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows: NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled.
Top   ToC   RFC3585 - Page 57

7.5.3. The Property ReplayPreventionWindowSize

The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by the replay prevention detection mechanism. SYNTAX unsigned 32-bit integer

7.6. The Class ESPTransform

The class ESPTransform specifies the ESP algorithms to propose during IPsec security association negotiation. The class definition for ESPTransform is as follows: NAME ESPTransform DESCRIPTION Specifies the proposed ESP algorithms. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds UseReplayPrevention ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

The property IntegrityTransformId specifies the transform ID of the ESP integrity algorithm. The property is defined as follows: NAME IntegrityTransformId DESCRIPTION Specifies the transform ID of the ESP integrity algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
Top   ToC   RFC3585 - Page 58

7.6.2. The Property CipherTransformId

The property CipherTransformId specifies the transform ID of the ESP encryption algorithm. The property is defined as follows: NAME CipherTransformId DESCRIPTION Specifies the transform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

The property CipherKeyLength specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithms that use a fixed-length keys, this value is ignored. The property is defined as follows: NAME CipherKeyLength DESCRIPTION Specifies the ESP encryption key length in bits. SYNTAX unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

The property CipherKeyRounds specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored. The property is defined as follows: NAME CipherKeyRounds DESCRIPTION Specifies the number of key rounds for the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Currently, key rounds are not defined for any ESP encryption algorithms.

7.6.5. The Property UseReplayPrevention

The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows: NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled.
Top   ToC   RFC3585 - Page 59

7.6.6. The Property ReplayPreventionWindowSize

The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by the replay prevention detection mechanism. SYNTAX unsigned 32-bit integer

7.7. The Class IPCOMPTransform

The class IPCOMPTransform specifies the IP compression (IPCOMP) algorithm to propose during IPsec security association negotiation. The class definition for IPCOMPTransform is as follows: NAME IPCOMPTransform DESCRIPTION Specifies the proposed IPCOMP algorithm. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm

7.7.1. The Property Algorithm

The property Algorithm specifies the transform ID of the IPCOMP compression algorithm. The property is defined as follows: NAME Algorithm DESCRIPTION Specifies the transform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer VALUE 1 - OUI: a vendor specific algorithm is used and specified in the property PrivateAlgorithm. Consult [DOI] for other valid values.

7.7.2. The Property DictionarySize

The property DictionarySize specifies the log2 maximum size of the dictionary for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value is ignored. The property is defined as follows:
Top   ToC   RFC3585 - Page 60
      NAME         DictionarySize
      DESCRIPTION  Specifies the log2 maximum size of the dictionary.
      SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

The property PrivateAlgorithm specifies a private vendor-specific compression algorithm. This value is only used when the property Algorithm is 1 (OUI). The property is defined as follows: NAME PrivateAlgorithm DESCRIPTION Specifies a private vendor-specific compression algorithm. SYNTAX unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem

The class SAProposalInSystem weakly associates SAProposals with a System. The class definition for SAProposalInSystem is as follows: NAME SAProposalInSystem DESCRIPTION Weakly associates SAProposals with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System [1..1]] Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

The property Antecedent is inherited from the PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SAProposal instance MUST be associated with one and only one System instance.

7.8.2. The Reference Dependent

The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SAProposal instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

The class ContainedTransform associates an IPsecProposal with the set of SATransforms that make up the proposal. If multiple transforms of the same type are in a proposal, then they are to be logically ORed and the order of preference is dictated by the SequenceNumber property. Sets of transforms of different types are logically ANDed.
Top   ToC   RFC3585 - Page 61
   For example, if the ordered proposal list were

      ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
      AH  = { MD5, SHA-1 }

   then the one sending the proposal would want the other side to pick
   one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
   from the AH transform list (preferably MD5).

   The class definition for ContainedTransform is as follows:

      NAME         ContainedTransform
      DESCRIPTION  Associates an IPsecProposal with the set of
                   SATransforms that make up the proposal.
      DERIVED FROM PolicyComponent (see [PCIM])
      ABSTRACT     FALSE
      PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                   PartComponent[ref SATransform[1..n]]
                   SequenceNumber

7.9.1. The Reference GroupComponent

The property GroupComponent is inherited from PolicyComponent and is overridden to refer to an IPsecProposal instance. The [0..n] cardinality indicates that an SATransform instance may be associated with zero or more IPsecProposal instances.

7.9.2. The Reference PartComponent

The property PartComponent is inherited from PolicyComponent and is overridden to refer to an SATransform instance. The [1..n] cardinality indicates that an IPsecProposal instance MUST be associated with at least one SATransform instance.

7.9.3. The Property SequenceNumber

The property SequenceNumber specifies the order of preference for the SATransforms of the same type. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SATransforms of the same type. SYNTAX unsigned 16-bit integer VALUE Lower-valued transforms are preferred over transforms of the same type with higher values. For ContainedTransforms that reference the same IPsecProposal, SequenceNumber values must be unique.
Top   ToC   RFC3585 - Page 62

7.10. The Association Class SATransformInSystem

The class SATransformInSystem weakly associates SATransforms with a System. The class definition for SATransformInSystem System is as follows: NAME SATransformInSystem DESCRIPTION Weakly associates SATransforms with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref SATransform[0..n] [weak]]

7.10.1. The Reference Antecedent

The property Antecedent is inherited from PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SATransform instance MUST be associated with one and only one System instance.

7.10.2. The Reference Dependent

The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SATransform instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SATransform instances.
Top   ToC   RFC3585 - Page 63

8. IKE Service and Identity Classes

+--------------+ +-------------------+ | System | | PeerIdentityEntry | | ([CIMCORE]) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | | ([CIMNETWORK]) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | | ([CIMUSER]) | +--------------+ (a) HostedPeerIdentityTable (b) PeerIdentityMember (c) IKEServicePeerGateway (d) IKEServicePeerIdentityTable (e) IKEAutostartSetting (f) AutostartIKESettingContext (g) IKEServiceForEndpoint (h) IKEAutostartConfiguration (i) IKEUsesCredentialManagementService (j) EndpointHasLocalIKEIdentity
Top   ToC   RFC3585 - Page 64
      (k)  CollectionHasLocalIKEIdentity
      (l)  IKEIdentitysCredential

   This portion of the model contains additional information that is
   useful in applying the policy.  The IKEService class MAY be used to
   represent the IKE negotiation function in a system.  The IKEService
   uses the various tables that contain information about IKE peers as
   well as the configuration for specifying security associations that
   are started automatically.  The information in the PeerGateway,
   PeerIdentityTable and related classes is necessary to completely
   specify the policies.

   An interface (represented by an IPProtocolEndpoint) has an IKEService
   that provides the negotiation services for that interface.  That
   service MAY also have a list of security associations automatically
   started at the time the IKE service is initialized.

   The IKEService also has a set of identities that it may use in
   negotiations with its peers.  Those identities are associated with
   the interfaces (or collections of interfaces).

8.1. The Class IKEService

The class IKEService represents the IKE negotiation function. An instance of this service may provide that negotiation service for one or more interfaces (represented by the IPProtocolEndpoint class) of a System. There may be multiple instances of IKE services on a System but only one per interface. The class definition for IKEService is as follows: NAME IKEService DESCRIPTION IKEService is used to represent the IKE negotiation function. DERIVED FROM Service (see [CIMCORE]) ABSTRACT FALSE

8.2. The Class PeerIdentityTable

The class PeerIdentityTable aggregates the table entries that provide mappings between identities and their addresses. The class definition for PeerIdentityTable is as follows: NAME PeerIdentityTable DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances to provide a table of identity-address mappings. DERIVED FROM Collection (see [CIMCORE])
Top   ToC   RFC3585 - Page 65
      ABSTRACT     FALSE
      PROPERTIES   Name

8.2.1. The Property Name

The property Name uniquely identifies the table. The property is defined as follows: NAME Name DESCRIPTION Name uniquely identifies the table. SYNTAX string

8.3. The Class PeerIdentityEntry

The class PeerIdentityEntry specifies the mapping between peer identity and their IP address. The class definition for PeerIdentityEntry is as follows: NAME PeerIdentityEntry DESCRIPTION PeerIdentityEntry provides a mapping between a peer's identity and address. DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES PeerIdentity PeerIdentityType PeerAddress PeerAddressType The pre-shared key to be used with this peer (if applicable) is contained in an instance of the class SharedSecret (see [CIMUSER]). The pre-shared key is stored in the property Secret, the property protocol contains "IKE", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID must match the PeerIdentity property of the PeerIdentityEntry instance describing the IKE peer.

8.3.1. The Property PeerIdentity

The property PeerIdentity contains a string encoding of the Identity payload for the IKE peer. The property is defined as follows: NAME PeerIdentity DESCRIPTION The PeerIdentity is the ID payload of a peer. SYNTAX string
Top   ToC   RFC3585 - Page 66

8.3.2. The Property PeerIdentityType

The property PeerIdentityType is an enumeration that specifies the type of the PeerIdentity. The property is defined as follows: NAME PeerIdentityType DESCRIPTION PeerIdentityType is the type of the ID payload of a peer. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1.

8.3.3. The Property PeerAddress

The property PeerAddress specifies the string representation of the IP address of the peer formatted according to the appropriate convention as defined in the PeerAddressType property (e.g., dotted decimal notation). The property is defined as follows: NAME PeerAddress DESCRIPTION PeerAddress is the address of the peer with the ID payload. SYNTAX string VALUE String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType

The property PeerAddressType specifies the format of the PeerAddress property value. The property is defined as follows: NAME PeerAddressType DESCRIPTION PeerAddressType is the type of address in PeerAddress. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6

8.4. The Class AutostartIKEConfiguration

The class AutostartIKEConfiguration groups AutostartIKESetting instances into configuration sets. When applied, the settings cause an IKE service to automatically start (negotiate or statically set as appropriate) the Security Associations. The class definition for AutostartIKEConfiguration is as follows:
Top   ToC   RFC3585 - Page 67
      NAME         AutostartIKEConfiguration
      DESCRIPTION  A configuration set of AutostartIKESetting instances
                   to be automatically started by the IKE service.
      DERIVED FROM SystemConfiguration (see [CIMCORE])
      ABSTRACT     FALSE

8.5. The Class AutostartIKESetting

The class AutostartIKESetting is used to automatically initiate IKE negotiations with peers (or statically create an SA) as specified in the AutostartIKESetting properties. Appropriate actions are initiated according to the policy that matches the setting parameters. The class definition for AutostartIKESetting is as follows: NAME AutostartIKESetting DESCRIPTION AutostartIKESetting is used to automatically initiate IKE negotiations with peers or statically create an SA. DERIVED FROM SystemSetting (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Phase1Only AddressType SourceAddress SourcePort DestinationAddress DestinationPort Protocol

8.5.1. The Property Phase1Only

The property Phase1Only is used to limit the IKE negotiation to a phase 1 SA establishment only. When set to False, both phase 1 and phase 2 SAs are negotiated. The property is defined as follows: NAME Phase1Only DESCRIPTION Used to indicate whether a phase 1 only or both phase 1 and phase 2 security associations should attempt establishment. SYNTAX boolean VALUE true - attempt to establish a phase 1 security association false - attempt to establish phase 1 and phase 2 security associations
Top   ToC   RFC3585 - Page 68

8.5.2. The Property AddressType

The property AddressType specifies a type of the addresses in the SourceAddress and DestinationAddress properties. The property is defined as follows: NAME AddressType DESCRIPTION AddressType is the type of address in SourceAddress and DestinationAddress properties. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6

8.5.3. The Property SourceAddress

The property SourceAddress specifies the dotted-decimal or colon- decimal formatted IP address used as the source address in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME SourceAddress DESCRIPTION The source address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

The property SourcePort specifies the port number used as the source port in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows: NAME SourcePort DESCRIPTION The source port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer

8.5.5. The Property DestinationAddress

The property DestinationAddress specifies the dotted-decimal or colon-decimal formatted IP address used as the destination address in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows: NAME DestinationAddress DESCRIPTION The destination address to compare with the filters to determine the appropriate policy rule.
Top   ToC   RFC3585 - Page 69
      SYNTAX       string
      VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

The property DestinationPort specifies the port number used as the destination port in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows: NAME DestinationPort DESCRIPTION The destination port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer

8.5.7. The Property Protocol

The property Protocol specifies the protocol number used in comparing with policy filter entries and is used in any phase 2 negotiations. The property is defined as follows: NAME Protocol DESCRIPTION The protocol number used in comparing policy filter entries. SYNTAX unsigned 8-bit integer

8.6. The Class IKEIdentity

The class IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. The policy IKEAction.UseIKEIdentityType specifies which type of the available identities to use in a negotiation exchange and the IKERule.IdentityContexts specifies the match values to be used, along with the local address, in selecting the appropriate identity for a negotiation. The ElementID property value (defined in the parent class, UsersAccess) should be that of either the IPProtocolEndpoint or Collection of endpoints as appropriate. The class definition for IKEIdentity is as follows: NAME IKEIdentity DESCRIPTION IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. DERIVED FROM UsersAccess (see [CIMUSER]) ABSTRACT FALSE
Top   ToC   RFC3585 - Page 70
      PROPERTIES   IdentityType
                   IdentityValue
                   IdentityContexts

8.6.1. The Property IdentityType

The property IdentityType is an enumeration that specifies the type of the IdentityValue. The property is defined as follows: NAME IdentityType DESCRIPTION IdentityType is the type of the IdentityValue. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1.

8.6.2. The Property IdentityValue

The property IdentityValue contains a string encoding of the Identity payload. For IKEIdentity instances that are address types (i.e., IPv4 or IPv6 addresses), the IdentityValue string value MAY be omitted; then the associated IPProtocolEndpoint (or appropriate member of the Collection of endpoints) is used as the identity value. The property is defined as follows: NAME IdentityValue DESCRIPTION IdentityValue contains a string encoding of the Identity payload. SYNTAX string

8.6.3. The Property IdentityContexts

The IdentityContexts property is used to constrain the use of IKEIdentity instances to match that specified in the IKERule.IdentityContexts. The IdentityContexts are formatted as policy roles and role combinations [PCIM] & [PCIME]. Each value represents one context or context combination. Since this is a multi-valued property, more than one context or combination of contexts can be associated with a single IKEIdentity. Each value is a string of the form: <ContextName>[&&<ContextName>]* where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). If one or more values in the IKERule.IdentityContexts array match one or more IKEIdentity.IdentityContexts, then the identity's context matches. (That is, each value of the IdentityContext array is an ORed condition.) In combination with the address of the
Top   ToC   RFC3585 - Page 71
   IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
   exactly one IKEIdentity.  The property is defined as follows:

      NAME         IdentityContexts
      DESCRIPTION  The IKE service of a security endpoint may have
                   multiple identities for use in different situations.
                   The combination of the interface (represented by
                   the IPProtocolEndpoint), the identity type (as
                   specified in the IKEAction) and the IdentityContexts
                   selects a unique identity.
      SYNTAX       string array
      VALUE        string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

The class HostedPeerIdentityTable provides the name scoping relationship for PeerIdentityTable entries in a System. The PeerIdentityTable is weak to the System. The class definition for HostedPeerIdentityTable is as follows: NAME HostedPeerIdentityTable DESCRIPTION The PeerIdentityTable instances are weak (name scoped by) the owning System. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerIdentityTable instance MUST be associated in a weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

The class PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. This is a weak aggregation. The class definition for PeerIdentityMember is as follows:
Top   ToC   RFC3585 - Page 72
      NAME         PeerIdentityMember
      DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry
                   instances into a PeerIdentityTable.
      DERIVED FROM MemberOfCollection (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Collection [ref PeerIdentityTable[1..1]]
                   Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

The property Collection is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityTable instance. The [1..1] cardinality indicates that a PeerIdentityEntry instance MUST be associated with one and only one PeerIdentityTable instance (i.e., PeerIdentityEntry instances are not shared across PeerIdentityTables).

8.8.2. The Reference Member

The property Member is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityEntry instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

The class IKEServicePeerGateway provides the association between an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. The class definition for IKEServicePeerGateway is as follows: NAME IKEServicePeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerGateway instances.
Top   ToC   RFC3585 - Page 73

8.9.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

The class IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses to map between addresses and identities as required. The class definition for IKEServicePeerIdentityTable is as follows: NAME IKEServicePeerIdentityTable DESCRIPTION IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more IKEService instances.

8.11. The Association Class IKEAutostartSetting

The class IKEAutostartSetting associates an AutostartIKESetting with an IKEService that may use it to automatically start an IKE negotiation or create a static SA. The class definition for IKEAutostartSetting is as follows: NAME IKEAutostartSetting DESCRIPTION Associates a AutostartIKESetting with an IKEService. DERIVED FROM ElementSetting (see [CIMCORE]) ABSTRACT FALSE
Top   ToC   RFC3585 - Page 74
      PROPERTIES   Element [ref IKEService[0..n]]
                   Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

The property Element is inherited from ElementSetting and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates an AutostartIKESetting instance may be associated with zero or more IKEService instances.

8.11.2. The Reference Setting

The property Setting is inherited from ElementSetting and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

The class AutostartIKESettingContext aggregates the settings used to automatically start negotiations or create a static SA into a configuration set. The class definition for AutostartIKESettingContext is as follows: NAME AutostartIKESettingContext DESCRIPTION AutostartIKESettingContext aggregates the AutostartIKESetting instances into a configuration set. DERIVED FROM SystemSettingContext (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] Setting [ref AutostartIKESetting [0..n]] SequenceNumber

8.12.1. The Reference Context

The property Context is inherited from SystemSettingContext and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an AutostartIKESetting instance may be associated with zero or more AutostartIKEConfiguration instances (i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

The property Setting is inherited from SystemSettingContext and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more AutostartIKESetting instances.
Top   ToC   RFC3585 - Page 75

8.12.3. The Property SequenceNumber

The property SequenceNumber specifies the ordering to be used when starting negotiations or creating a static SA. A zero value indicates that order is not significant and settings may be applied in parallel with other settings. All other settings in the configuration are executed in sequence from lower to higher values. Sequence numbers need not be unique in an AutostartIKEConfiguration and order is not significant for settings with the same sequence number. The property is defined as follows: NAME SequenceNumber DESCRIPTION The sequence in which the settings are applied within a configuration set. SYNTAX unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

The class IKEServiceForEndpoint provides the association showing which IKE service, if any, provides IKE negotiation services for which network interfaces. The class definition for IKEServiceForEndpoint is as follows: NAME IKEServiceForEndpoint DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that provides negotiation services for the endpoint. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref IKEService[0..1]] Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance MUST by associated with at most one IKEService instance.

8.13.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint that is associated with at most one IKEService. The [0..n] cardinality indicates an IKEService instance may be associated with zero or more IPProtocolEndpoint instances.
Top   ToC   RFC3585 - Page 76

8.14. The Association Class IKEAutostartConfiguration

The class IKEAutostartConfiguration provides the relationship between an IKEService and a configuration set that it uses to automatically start a set of SAs. The class definition for IKEAutostartConfiguration is as follows: NAME IKEAutostartConfiguration DESCRIPTION IKEAutostartConfiguration provides the relationship between an IKEService and an AutostartIKEConfiguration that it uses to automatically start a set of SAs. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] Dependent [ref IKEService [0..n]] Active

8.14.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more IKEService instances.

8.14.3. The Property Active

The property Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. That is, at boot time, the active configuration is used to automatically start IKE negotiations and create static SAs. The property is defined as follows: NAME Active DESCRIPTION Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. SYNTAX boolean
Top   ToC   RFC3585 - Page 77
      VALUE        true - AutostartIKEConfiguration is currently active
                   for associated IKEService.
                   false - AutostartIKEConfiguration is currently
                   inactive for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

The class IKEUsesCredentialManagementService defines the set of CredentialManagementService(s) that are trusted sources of credentials for IKE phase 1 negotiations. The class definition for IKEUsesCredentialManagementService is as follows: NAME IKEUsesCredentialManagementService DESCRIPTION Associates the set of CredentialManagementService(s) that are trusted by the IKEService as sources of credentials used in IKE phase 1 negotiations. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService [0..n]] Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

The class EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances that may be used in negotiating security associations on the endpoint. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using this association or with a collection of IKEIdentity instances using the CollectionHasLocalIKEIdentity association. The class definition for EndpointHasLocalIKEIdentity is as follows:
Top   ToC   RFC3585 - Page 78
      NAME         EndpointHasLocalIKEIdentity
      DESCRIPTION  EndpointHasLocalIKEIdentity associates an
                   IPProtocolEndpoint with a set of IKEIdentity
                   instances.
      DERIVED FROM ElementAsUser (see [CIMUSER])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]]
                   Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

The property Antecedent is inherited from ElementAsUser and is overridden to refer to an IPProtocolEndpoint instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that an IPProtocolEndpoint instance may be associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

The class CollectionHasLocalIKEIdentity associates a Collection of IPProtocolEndpoint instances with a set of IKEIdentity instances that may be used in negotiating SAs for endpoints in the collection. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using the EndpointHasLocalIKEIdentity association or with a collection of IKEIdentity instances using this association. The class definition for CollectionHasLocalIKEIdentity is as follows: NAME CollectionHasLocalIKEIdentity DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of IPProtocolEndpoint instances with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see [CIMUSER]) ABSTRACT FALSE PROPERTIES Antecedent [ref Collection [0..1]] Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

The property Antecedent is inherited from ElementAsUser and is overridden to refer to a Collection instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one Collection instance.
Top   ToC   RFC3585 - Page 79

8.17.2. The Reference Dependent

The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Collection instance may be associated with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

The class IKEIdentitysCredential is an association that relates a set of credentials to their corresponding local IKE Identities. The class definition for IKEIdentitysCredential is as follows: NAME IKEIdentitysCredential DESCRIPTION IKEIdentitysCredential associates a set of credentials to their corresponding local IKEIdentity. DERIVED FROM UsersCredential (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref Credential [0..n]] Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

The property Antecedent is inherited from UsersCredential and is overridden to refer to a Credential instance. The [0..n] cardinality indicates that the IKEIdentity instance may be associated with zero or more Credential instances.

8.18.2. The Reference Dependent

The property Dependent is inherited from UsersCredential and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Credential instance may be associated with zero or more IKEIdentity instances.


(page 79 continued on part 4)

Next Section