1 karl 1.1 // ===================================================================
2 // Title: Network MOF Specification 2.5
3 // Filename: CIM_IPsec25.mof
4 // Version: 2.5
5 // Release: 0
6 // Date: 01/11/2001
7 // Editors: Victor Lortz, Lee Rafalow, John Strassner
8 // Authors: DMTF Network Working Group
9 //
10 // NEW FOR THE 2.5 RELEASE:
11 //
12 // Description: These object classes define the IPsec policy model
13 // for CIM and includes classes needed to represent
14 // IKE proposals, IPsec conditions and actions, and
15 // security associations.
16 //
17 // The object classes below are listed in an order that
18 // avoids forward references. Required objects, defined
19 // by other working groups, are omitted.
20 //
21 // Currently, this MOF is in the file CIM_IPsec25.mof. This is because
22 karl 1.1 // AdminDomain needs to move to Core, and IPsec depends on Core,
23 // Network, System, and Policy. So we have a forward referencing
24 // problem that is solved by making this a separate file. This will be
25 // fixed in CR???, which does move AdminDomain into core.
26 //
27 // ===================================================================
28 // Generic Pragmas
29 // ===================================================================
30
31 #pragma Locale ("en_US")
32
33 // ==================================================================
34 // SACondition
35 // ==================================================================
36 [Description (
37 "SACondition defines the conditions of rules for IKE or "
38 "IPsec negotiations. Conditions are associated with policy "
39 "rules via the SAConditionInRule aggregation. It is used as "
40 "an anchor point to associate various types of filters with "
41 "policy rules via the FilterOfSACondition association. It "
42 "also defines whether Credentials can be accepted for a "
43 karl 1.1 "particular policy rule via the AcceptCredentialsFrom "
44 "association. ") ]
45
46 class CIM_SACondition : CIM_PolicyCondition
47 {
48 };
49
50 // ==================================================================
51 // CredentialFilterEntry
52 // ==================================================================
53 [Description (
54 "A CredentialFilterEntry is used to define an equivalence "
55 "class that match credentials of IKE peers. Each "
56 "CredentialFilterEntry includes a MatchFieldName that is "
57 "interpreted according to the CredentialManagementService(s) "
58 "associated with the SACondition via the AcceptCredentialsFrom "
59 "association. These credentials can be X.509 certificates, "
60 "Kerberos tickets, or other types of credentials obtained "
61 "during the Phase 1 exchange. " ) ]
62
63 class CIM_CredentialFilterEntry : CIM_FilterEntryBase
64 karl 1.1 {
65 [Description (
66 "MatchFieldName specifies the sub-part of the credential to "
67 "match against MatchFieldValue."),
68 ModelCorrespondence {
69 "CIM_CredentialFilterEntry.MatchFieldValue" } ]
70 string MatchFieldName;
71
72 [Description (
73 "MatchFieldValue specifies the value to compare with the "
74 "MatchFieldName in a credential to determine if the credential "
75 "matches this filter entry."),
76 ModelCorrespondence {
77 "CIM_CredentialFilterEntry.MatchFieldName" } ]
78 string MatchFieldValue;
79
80 [Description (
81 "CredentialType is an enumerated 16-bit unsigned integer that "
82 "is used to specify the particular type of credential that is "
83 "being matched. " ),
84 ValueMap { "1", "2" },
85 karl 1.1 Values { "X.509 Certificate", "Kerberos Ticket" } ]
86 uint16 CredentialType;
87 };
88
89 // ==================================================================
90 // IPSOFilterEntry
91 // ==================================================================
92 [Description (
93 "An IPSOFilterEntry is used to match traffic based on the "
94 "IP Security Options header values (ClassificationLevel "
95 "and ProtectionAuthority) as defined in RFC1108. This type "
96 "of FilterEntry is used to adjust the IPsec encryption level "
97 "according to the IPSO classification of the traffic (e.g., "
98 "secret, confidential, restricted, etc." ) ]
99
100 class CIM_IPSOFilterEntry : CIM_FilterEntryBase
101 {
102 [Description (
103 "MatchConditionType specifies whether to match based on "
104 "traffic classification level or protection authority."),
105 ValueMap { "1", "2"},
106 karl 1.1 Values {"ClassificationLevel", "ProtectionAuthority" },
107 ModelCorrespondence {
108 "CIM_IPSOFilterEntry.MatchConditionValue" } ]
109 uint16 MatchConditionType;
110
111 [Description (
112 "This is the value of the IPSO field type. For "
113 "ClassificationLevel, the values are:\n"
114 "61=TopSecret, 90=Secret, 150=Confidential, "
115 "171=Unclassified.\n"
116 "\n"
117 "For ProtectionAuthority, the values are:\n"
118 "0=GENSER, 1=SIOP-ESI, 2=SCI, 3=NSA, 4=DOE."),
119 ModelCorrespondence {
120 "CIM_IPSOFilterEntry.MatchConditionType" } ]
121 uint16 MatchConditionValue;
122 };
123
124 // ==================================================================
125 // PeerIDPayloadFilterEntry
126 // ==================================================================
127 karl 1.1 [Description (
128 "PeerIDPayloadFilterEntry defines filters used to match ID "
129 "payload values from the IKE protocol exchange." ) ]
130
131 class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase
132 {
133 [Description (
134 "MatchIdentityType specifies the type of indentity provided by "
135 "the peer in the ID payload." ),
136 ValueMap
137 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
138 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
139 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
140 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
141 ModelCorrespondence {
142 "CIM_PeerIDPayloadFilterEntry.MatchIdentityValue" } ]
143 uint16 MatchIdentityType;
144
145 [Description (
146 "MatchIdentityValue is the filter value for comparison with "
147 "the ID payload, e,g, \"*@company.com\". The syntax may need "
148 karl 1.1 "to be converted for comparison. For example, if the type "
149 "of identity is a distinguished name, \"DER_ASN1_DN,\" the "
150 "MatchIdentityValue is represented by a DN string value "
151 "and this value must be converted into a DER-encoded string "
152 "before it can be matched against the values extracted from "
153 "IKE ID payloads at runtime (or vice-versa). " ),
154 ModelCorrespondence {
155 "CIM_PeerIDPayloadFilterEntry.MatchIdentityType" } ]
156 string MatchIdentityValue;
157 };
158
159
160 // ==================================================================
161 // IPsecPolicyGroup
162 // ==================================================================
163 [Description (
164 "IPsecPolicyGroup aggregates the set of rules of an IPsec "
165 "policy. These rules are defined as being weak to a System "
166 "via the PolicyGroupInSystem association. IPsecPolicyGroup "
167 "is used to anchor four rule collections. The two "
168 "associations IPsecPolicyForSystem and IPsecPolicyForEndpoint "
169 karl 1.1 "are used to define the System and IPProtocolEndpoints that "
170 "a particular IPsecPolicyGroup is associated with. Examples "
171 "of a System and an IPProtocolEndpoint are a router and a "
172 "router interface, respectively. \n\n"
173 "Two aggregations are also defined for this class. The "
174 "RuleForIKENegotiation contains the phase 1 IKE negotiations "
175 "that will be used, while the RuleForIPsecNegotiation "
176 "contains the rules for phase 2 IKE negotiations. \n\n"
177 "Finally, the IPsecPolicyGroupInPolicyGroup recursive "
178 "aggregation is used to define a nested group of IPsec "
179 "policy groups, with each IPsec policy group containing "
180 "one or more rules. This may be used to mirror the "
181 "administrative nature of how IPsec is applied to various "
182 "entities in the managed environment. " ) ]
183
184 class CIM_IPsecPolicyGroup: CIM_PolicyGroup
185 {
186 };
187
188 // ==================================================================
189 // SARule
190 karl 1.1 // ==================================================================
191 [Description (
192 "SARule is a base class for defining IKE and IPsec Rules. "
193 "Although concrete, it is not intended to be instantiated. "
194 "It defines a common anchor point for defining associations "
195 "and aggregations to conditions, actions, and security "
196 "associations (SAs) for both types of rules. Each valid "
197 "IPsecPolicyGroup must contain SARule that each have a "
198 "unique priority number (inherited from PolicyRule). " ) ]
199
200 class CIM_SARule: CIM_PolicyRule
201 {
202 [Description (
203 "LimitNegotiation is used as part of processing either an "
204 "IKE or an IPsec rule. Before proceeding with either a "
205 "phase 1 or a phase 2 negotiation, this property "
206 "is checked to determine if the negotiation role of the rule "
207 "matches that defined for the negotiation being undertaken "
208 "(e.g., Initiator, Responder, or Both). If this check fails, "
209 "then the IKE negotiation is stopped. Note that this only "
210 "applies to new IKE negotiations and has no effect on either "
211 karl 1.1 "renegotiation or refresh operations with peers for which "
212 "an established SA already exists. " ),
213 ValueMap { "1", "2", "3" },
214 Values { "Initiator-only", "Responder-Only", "Either"} ]
215 uint16 LimitNegotiation;
216 };
217
218 // ==================================================================
219 // IKERule
220 // ==================================================================
221 [Description (
222 "IKERule contains the Conditions and Actions for IKE phase 1 "
223 "negotiations. The conditions and actions are contained in "
224 "one or more IPsecPolicyGroup classes. ") ]
225
226 class CIM_IKERule : CIM_SARule
227 {
228 [Description (
229 "IdentityContexts is a string array that corresponds to an "
230 "ANDed list of values. If multiple strings exist, then they "
231 "are to be logically ORed with each other. This property is "
232 karl 1.1 "used to establish a phase 1 IKE SA by using this property "
233 "in conjunction with the UseIKEIdentityType property in the "
234 "corresponding IKEAction. These two properties are then "
235 "used to find an appropriate IKEIdentity object for use on "
236 "the protected IPProtocolEndpoint." ),
237 ModelCorrespondence { "CIM_IKEIdentity.IdentityContexts" } ]
238 string IdentityContexts [];
239 };
240
241 // ==================================================================
242 // IPsecRule
243 // ==================================================================
244 [Description (
245 "IPsecRule contains the Conditions and Actions for phase 2 "
246 "negotiations. The conditions and actions are contained in "
247 "one or more IPsecPolicyGroup classes. " ) ]
248
249 class CIM_IPsecRule : CIM_SARule
250 {
251 };
252
253 karl 1.1 // ==================================================================
254 // SAAction
255 // ==================================================================
256 [Description (
257 "SAAction is the base class for the various types of IKE or "
258 "IPsec actions and, although concrete, it is not intended to "
259 "be instantiated. It is used for aggregating different "
260 "types of actions to IKE and IPsec rules. " ) ]
261
262 class CIM_SAAction : CIM_PolicyAction
263 {
264 [Description (
265 "DoActionLogging causes a log message to be generated when the "
266 "action is performed. " ) ]
267 boolean DoActionLogging;
268
269 [Description (
270 "DoPacketLogging causes a log message to be generated when the "
271 "action is applied to a packet. " ) ]
272 boolean DoPacketLogging;
273 };
274 karl 1.1
275
276 // ==================================================================
277 // SAStaticAction
278 // ==================================================================
279 [Description (
280 "SAStaticAction is the base class for both IKE as well as "
281 "IPsec actions that require no negotiation. Although this "
282 "class is concrete, it is not intended to be instantiated. " ) ]
283
284 class CIM_SAStaticAction : CIM_SAAction
285 {
286 [Description (
287 "LifetimeSeconds specifies how long the SA derived from this "
288 "action should be used. A value of 0 means infinite "
289 "lifetime. A non-zero value is typically used when the "
290 "negotiation fails. " ),
291 Units ("Seconds") ]
292 uint32 LifetimeSeconds;
293 };
294
295 karl 1.1 // ==================================================================
296 // PreconfiguredSAAction
297 // ==================================================================
298 [Description (
299 "Subclasses of PreconfiguredSAAction is used to create SAs "
300 "using preconfigured, hard-wired algorithms and keys. No "
301 "negotiation is necessary. Note that the SPI for a "
302 "preconfigured SA action is contained in the association, "
303 "TransformOfPreconfiguredAction. " ) ]
304
305 class CIM_PreconfiguredSAAction : CIM_SAStaticAction
306 {
307 [Description (
308 "ProtocolType defines the type of protocol being used by "
309 "this static action. " ) ]
310 string ProtocolType;
311
312 [Description (
313 "LifetimeKilobytes defines a traffic limit in kilobytes "
314 "that can be consumed before the SA is deleted. " ) ]
315 uint32 LifetimeKilobytes;
316 karl 1.1 };
317
318 // ==================================================================
319 // PreconfiguredTransportAction
320 // ==================================================================
321 [Description (
322 "PreconfiguredTransportAction is used to create Transport SAs "
323 "using preconfigured, hard-wired algorithms and keys. No "
324 "negotiation is necessary. Note that the SPI for a "
325 "preconfigured SA action is contained in the association, "
326 "TransformOfPreconfiguredAction. " ) ]
327
328 class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction
329 {
330 };
331
332 // ==================================================================
333 // PreconfiguredTunnelAction
334 // ==================================================================
335 [Description (
336 "PreconfiguredTunnelAction is used to create Tunnel SAs using "
337 karl 1.1 "preconfigured, hard-wired algorithms and keys. No "
338 "negotiation is necessary. Note that the SPI for a "
339 "preconfigured SA action is contained in the association, "
340 "TransformOfPreconfiguredAction. The PeerGateway address "
341 "information is provided when the tunnel peer is a security "
342 "gateway." ) ]
343
344 class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction
345 {
346 [Description (
347 "An enumeration that describes the format of the "
348 "PeerGatewayAddress property. Addresses that can be formatted "
349 "in IPv4 format, must be formatted that way to ensure mixed "
350 "IPv4/IPv6 support. When the tunnel peer is not a security "
351 "gateway, this property value is set to NULL."),
352 ValueMap { "0", "1", "2" },
353 Values { "Unknown", "IPv4", "IPv6" },
354 ModelCorrespondence {
355 "CIM_PreconfiguredTunnelAction.PeerGatewayAddress" } ]
356 uint16 PeerGatewayAddressType;
357
358 karl 1.1 [Description (
359 "The IP address of the tunnel peer security gateway "
360 "formatted according to the appropriate convention as "
361 "defined in the PeerGatewayAddressType property of this "
362 "class (e.g., 171.79.6.40). When the tunnel peer is not a "
363 "security gateway, this property value is set to NULL."),
364 ModelCorrespondence {
365 "CIM_PreconfiguredTunnelAction.PeerGatewayAddressType" } ]
366 string PeerGatewayAddress;
367 };
368
369 // ==================================================================
370 // IPsecBypassAction
371 // ==================================================================
372 [Description (
373 "IPsecBypassAction is used to cause access to be permitted "
374 "without invoking the use of IPsec. Packets are forwarded "
375 "in the clear. " ) ]
376
377 class CIM_IPsecBypassAction : CIM_SAStaticAction
378 {
379 karl 1.1 };
380
381 // ==================================================================
382 // IPsecDiscardAction
383 // ==================================================================
384 [Description (
385 "IPsecDiscardAction is used to cause access to be denied. "
386 "That is, packets are simply discarded. " ) ]
387
388 class CIM_IPsecDiscardAction : CIM_SAStaticAction
389 {
390 };
391
392 // ==================================================================
393 // IKERejectAction
394 // ==================================================================
395 [Description ("IKERejectAction is used to inhibit IKE "
396 "negotiations with peers.") ]
397
398 class CIM_IKERejectAction : CIM_SAStaticAction
399 {
400 karl 1.1 };
401
402 // ==================================================================
403 // SANegotiationAction
404 // ==================================================================
405 [Description (
406 "SANegotiationAction is the base class for negotiated SAs "
407 "and, although concrete, is not intended to be instantiated. "
408 "It specifies the common parameters that control the IKE "
409 "phase 1 and phase 2 key exchange negotiations. " ) ]
410
411 class CIM_SANegotiationAction : CIM_SAAction
412 {
413 [Description (
414 "MinLifetimeSeconds prevents certain denial of service "
415 "attacks based on very short SA lifetimes. "),
416 Units("Seconds")]
417 uint32 MinLifetimeSeconds;
418
419 [Description (
420 "RefreshThresholdSeconds is the lifetime percentage at which "
421 karl 1.1 "IKE should automatically attempt to acquire a new SA before "
422 "an existing SA expires. A random period may be added to a "
423 "calculated threshold to reduce network thrashing. " ) ]
424 uint8 RefreshThresholdSeconds;
425
426 [Description (
427 "IdleDurationSeconds is the time an SA can remain idle "
428 "before it is automatically deleted. The default (zero) "
429 "value indicates that there is no idle duration timer "
430 "and that the SA is deleted based upon the SA lifetime."),
431 Units("Seconds") ]
432 uint32 IdleDurationSeconds;
433
434 [Description (
435 "MinLifetimeKilobytes prevents certain denial of service "
436 "attacks based on very short SA lifetimes.")]
437 uint32 MinLifetimeKilobytes;
438
439 [Description (
440 "RefreshThresholdKilobytes is the percentage of the SA"
441 "kilobyte limit remaining before the SA is refreshed. "
442 karl 1.1 "A random value may be added to a calculated threshold "
443 "to reduce network thrashing. " ) ]
444 uint8 RefreshThresholdKilobytes;
445 };
446
447 // ==================================================================
448 // IKEAction
449 // ==================================================================
450 [Description (
451 "IKEAction specifies the parameters to use for an IKE "
452 "phase 1 negotiation. " ) ]
453
454 class CIM_IKEAction : CIM_SANegotiationAction
455 {
456 [Description (
457 "RefreshThresholdDerivedKeys is the percentage of the "
458 "derived key limit remaining before the IKE phase 1 "
459 "SA is renegotiated. The default value (zero) means there "
460 "is no limit. " ) ]
461 uint8 RefreshThresholdDerivedKeys;
462
463 karl 1.1 [Description (
464 "The ExchangeMode designates the mode IKE should use for "
465 "its key negotiations. " ),
466 ValueMap {"1", "2", "4"},
467 Values {"Base", "Main", "Aggressive" } ]
468 uint16 ExchangeMode;
469
470 [Description (
471 "UseIkeIdentityType is used in conjunction with the available "
472 "IKEIdentity instances for the IPProtocolEndpoint. "
473 "UseIKEIdentityType designates the type of IKE Identity to "
474 "use in sending an IKE message."),
475 ValueMap
476 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
477 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
478 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
479 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
480 ModelCorrespondence {
481 "CIM_IKEIdentity.IdentityType" } ]
482 uint16 UseIKEIdentityType;
483
484 karl 1.1 [Description ("The VendorID property is used to identify "
485 "vendor-defined key exchange GroupIDs."),
486 ModelCorrespondence {"CIM_IKEAction.AggressiveModeGroupID"}]
487 string VendorID;
488
489 [Description (
490 "When IKEAction.ExchangeMode is set to \"Aggressive\", "
491 "this property specifies the key exchange groupID to use "
492 "in a proposal. If the GroupID number is from the vendor-"
493 "specific range (32768-65535), the VendorID qualifies the "
494 "group number. Well-known group identifiers from RFC2412 "
495 "are: 0='Not Applicable', 1='DH768', 2='DH1024', "
496 "3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
497 ModelCorrespondence {"CIM_IKEAction.VendorID"}]
498 uint16 AggressiveModeGroupID;
499 };
500
501 // ==================================================================
502 // IPsecAction
503 // ==================================================================
504 [Description (
505 karl 1.1 "IPsecAction specifies the parameters to use for an IKE "
506 "phase 2 negotiation. " ) ]
507
508 class CIM_IPsecAction : CIM_SANegotiationAction
509 {
510 [Description (
511 "UsePFS indicates whether perfect forward secrecy "
512 "is required when refreshing keys.")]
513 boolean UsePFS;
514
515 [Description ("The VendorID property is used to identify "
516 "vendor-defined key exchange GroupIDs."),
517 ModelCorrespondence {"CIM_IPsecAction.GroupId"}]
518 string VendorID;
519
520 [Description (
521 "GroupId specifies the PFS group ID to use. This value is "
522 "only used if PFS is True and UseIKEGroup is False. "
523 "If the GroupID number is from the vendor-specific range "
524 "(32768-65535), the VendorID qualifies the group number. "
525 "Well-known group identifiers from RFC2412 are:\n"
526 karl 1.1 " 0='Not Applicable', 1='DH768', 2='DH1024', "
527 "3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
528 ModelCorrespondence {"CIM_IPsecAction.VendorID"}]
529 uint16 GroupId;
530
531 [Description (
532 "UseIKEGroup indicates that the phase 2 GroupId should be "
533 "the same as that used in the phase 1 protecting this phase 2 "
534 "exchange. IF PFS is False, UseIKEGroup is ignored. " ) ]
535 boolean UseIKEGroup;
536
537 [Description (
538 "Granularity controls whether proposed selectors for an "
539 "SA should be:\n"
540 " - the subnet mask (Subnet)\n"
541 " - the IP address (Address)\n"
542 " - the IP address & the IP protocol (Protocol)\n"
543 " - the IP address, the IP protocol & the layer 4 port (Port) "
544 "as derived from the traffic that triggered the FilterList "
545 "of the Condition(s) that matched the rule."),
546 ValueMap {"1", "2", "3", "4"},
547 karl 1.1 Values {"Subnet", "Address", "Protocol", "Port"}]
548 uint16 Granularity;
549 };
550
551
552 // ==================================================================
553 // IPsecTransportAction
554 // ==================================================================
555 [Description (
556 "IPsecTransportAction is used to specify transport "
557 "encapsulation mode. " ) ]
558
559 class CIM_IPsecTransportAction : CIM_IPsecAction
560 {
561 };
562
563
564 // ==================================================================
565 // IPsecTunnelAction
566 // ==================================================================
567 [Description (
568 karl 1.1 "IPsecTunnelAction is used to specify tunnel "
569 "encapsulation mode. " ) ]
570
571 class CIM_IPsecTunnelAction : CIM_IPsecAction
572 {
573 [Description (
574 "DFHandling controls how the Don't Fragment bit "
575 "is managed by the tunnel. " ),
576 ValueMap {"1", "2", "3"},
577 Values {"Copy", "Set", "Clear"}]
578 uint16 DFHandling;
579 };
580
581 // ==================================================================
582 // SATransform
583 // ==================================================================
584 [Abstract, Description (
585 "SATransform is the base class for the various types of "
586 "transforms aggregated into phase 2 proposals. Note that "
587 "it is weak to its containing PolicyRepository which is "
588 "defined with the SATransformInPolicyRepository association." ) ]
589 karl 1.1
590 class CIM_SATransform : CIM_Policy
591 {
592 [Propagated ("CIM_PolicyRepository.CreationClassName"), Key,
593 MaxLen (256), Description (
594 "The scoping PolicyRepository's CreationClassName.") ]
595 string SystemCreationClassName;
596
597 [Propagated ("CIM_PolicyRepository.Name"), Key, MaxLen (256),
598 Description (
599 "The scoping PolicyRepository's Name.") ]
600 string SystemName;
601
602 [Key, MaxLen (256), Description (
603 "CreationClassName indicates the name of the class or "
604 "the subclass used in the creation of an instance. When "
605 "used with the other key properties of this class, this "
606 "property allows all instances of this class and its "
607 "subclasses to be uniquely identified. " ) ]
608 string CreationClassName;
609
610 karl 1.1 [Override ("CommonName"), Key, MaxLen (256), Description (
611 "The Name property provides a user-friendly unique "
612 "name for this SATransform. " ) ]
613 string CommonName;
614
615 [Description (
616 "MaxLifetimeSeconds specifies the maximum time the "
617 "IKE message sender proposes for an SA to be considered "
618 "valid after it has been created."),
619 Units ("Seconds") ]
620 uint32 MaxLifetimeSeconds;
621
622 [Description (
623 "MaxLifetimeKilobytes specifies the maximum kilobyte "
624 "lifetime the IKE message sender proposes for an SA to "
625 "be considered valid after it has been created. Each "
626 "proposal may use a different lifetime based upon the "
627 "strength of the encryption algorithm. " ) ]
628 uint32 MaxLifetimeKilobytes;
629
630 [Description (
631 karl 1.1 "The VendorID property is used to identify "
632 "vendor-defined transforms.") ]
633 string VendorID;
634 };
635
636 // ==================================================================
637 // AHTransform
638 // ==================================================================
639 [Description (
640 "AHTransform defines the parameters used for phase 2 "
641 "negotiation of an AH SA. " ) ]
642
643 class CIM_AHTransform : CIM_SATransform
644 {
645 [Description (
646 "AHTransformId is an enumeration that specifies the "
647 "hash algorithm to be used. " ),
648 ValueMap {"2", "3", "4"},
649 Values {"MD5", "SHA-1", "DES"} ]
650 uint16 AHTransformId;
651 };
652 karl 1.1
653 // ==================================================================
654 // ESPTransform
655 // ==================================================================
656 [Description (
657 "ESPTransform defines the parameters used for phase 2 "
658 "negotiation of an ESP SA. " ) ]
659
660 class CIM_ESPTransform : CIM_SATransform
661 {
662 [Description (
663 "IntegrityTransformId is an enumeration that specifies "
664 "the ESP integrity algorithm for the proposal. " ),
665 ValueMap {"0", "1", "2", "3", "4"},
666 Values {"None", "MD5", "SHA-1", "DES", "KPDK"} ]
667 uint16 IntegrityTransformId;
668
669 [Description (
670 "CipherTransformId is an enumeration that specifies the "
671 "ESP encryption algorithm for the proposal. " ),
672 ValueMap
673 karl 1.1 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
674 Values {"DES_IV64", "DES", "3DES", "RC5", "IDEA", "CAST",
675 "Blowfish", "3-IDEA", "DES_IV32", "RC4", "NULL" }]
676 uint16 CipherTransformId;
677
678 [Description (
679 "CipherKeyLength specifies, in bits, the key length for "
680 "the encryption algorithm. For algorithms with fixed "
681 "key lengths, this value is ignored.")]
682 uint16 CipherKeyLength;
683
684 [Description (
685 "CipherKeyRounds specifies the key rounds for the "
686 "encryption algorithm. Currently, key rounds are not "
687 "defined for any IPsec encryption algorithms. " ) ]
688 uint16 CipherKeyRounds;
689 };
690
691
692 // ==================================================================
693 // IPCOMPTransform
694 karl 1.1 // ==================================================================
695 [Description (
696 "IPCOMPTransform specifies the compression algorithm "
697 "to use. " ) ]
698
699 class CIM_IPCOMPTransform : CIM_SATransform
700 {
701 [Description (
702 "The Algorithm is an enumeration that designates the "
703 "IPCOMP compression algorithm to use. OUI designates a "
704 "vendor-specific algorithm."),
705 ValueMap {"1", "2", "3", "4"},
706 Values {"OUI", "DEFLATE", "LZS", "V42BIS"}]
707 uint16 Algorithm;
708
709 [Description (
710 "DictionarySize is an optional field that specifies the "
711 "log2 maximum size of the dictionary. " ) ]
712 uint16 DictionarySize;
713
714 [Description (
715 karl 1.1 "Private compression algorithm, used when TransformId "
716 "is OUI. " ) ]
717 uint32 PrivateAlgorithm;
718 };
719
720 // ==================================================================
721 // SAProposal
722 // ==================================================================
723 [Abstract, Description (
724 "SAProposal is a base class defining the common "
725 "properties of and anchoring common associations "
726 "for IKE phase 1 and phase 2 (IPsec) proposals.") ]
727
728 class CIM_SAProposal : CIM_Policy
729 {
730 [Propagated ("CIM_PolicyRepository.CreationClassName"), Key,
731 MaxLen (256), Description (
732 "The scoping PolicyRepository's CreationClassName.") ]
733 string SystemCreationClassName;
734
735 [Propagated ("CIM_PolicyRepository.Name"), Key,
736 karl 1.1 MaxLen (256), Description (
737 "The scoping PolicyRepository's Name.") ]
738 string SystemName;
739
740 [Key, MaxLen (256), Description (
741 "CreationClassName indicates the name of the class "
742 "or the subclass used in the creation of an "
743 "instance. When used with the other key properties of "
744 "this class, this property allows all instances of this "
745 "class and its subclasses to be uniquely identified.") ]
746 string CreationClassName;
747
748 [Key, MaxLen (256), Description (
749 "The Name property uniquely identifies the "
750 "CIM_SAProposal.") ]
751 string Name;
752 };
753
754 // ==================================================================
755 // IKEProposal
756 // ==================================================================
757 karl 1.1 [Description ("IKEProposal contains the parameters necessary "
758 "to drive the phase 1 IKE negotiation.") ]
759
760 class CIM_IKEProposal : CIM_SAProposal
761 {
762 [Description ("LifetimeDerivedKeys specifies the number of "
763 "times a phase 1 key will be used to derive a phase 2 "
764 "(IPsec) key. A value of 0 indicates that there is no limit "
765 "to the number of phase 2 keys that can be derived from the "
766 "phase 1 key.") ]
767 uint32 LifetimeDerivedKeys ;
768
769 [Description ("CipherAlgorithm is an enumeration that "
770 "specifies the proposed encryption algorithm."),
771 ValueMap { "1", "2", "3", "4", "5", "6" },
772 Values { "DES", "IDEA", "Blowfish", "RC5", "3DES",
773 "CAST"}]
774 uint16 CipherAlgorithm;
775
776 [Description ("HashAlgorithm is an enumeration that specifies "
777 "the proposed hash function."),
778 karl 1.1 ValueMap {"1", "2", "3"},
779 Values {"MD5", "SHA-1", "Tiger"}]
780 uint16 HashAlgorithm;
781
782 [Description ("PRFAlgorithm specifies the pseudo-random "
783 "function IKE should use. Currently, no such functions are "
784 "defined.")]
785 uint16 PRFAlgorithm;
786
787 [Description ("The VendorID property is used to identify "
788 "vendor-defined key exchange GroupIDs."),
789 ModelCorrespondence {"CIM_IKEProposal.GroupId"}]
790 string VendorID;
791
792 [Description ("When IKEAction.ExchangeMode is set to "
793 "\"Base\" or to \"Main,\" the GroupId specifies the key "
794 "exchange group ID to use in a proposal, otherwise, "
795 "GroupId is set to 0, \"Not Applicable,\" and ignored. "
796 "If the GroupID number is from the vendor-specific range "
797 "(32768-65535), the VendorID qualifies the group number. "
798 "Well-known group identifiers from RFC2412 are:\n"
799 karl 1.1 " 0='Not Applicable', 1='DH768', 2='DH1024', "
800 "3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
801 ModelCorrespondence {"CIM_IKEProposal.VendorID"}]
802 uint16 GroupId;
803
804 [Description ("AuthenticationMethod is an enumeration that "
805 "specifies the authentication method to use for the "
806 "proposal. If the value 0 (Any) is used, then the proposal "
807 "should be multiplied in the IKE proposal list by as many "
808 "authentication methods as correspond to credentials on the "
809 "system (e.g., if the system has a preshared key and a "
810 "certificate, then the proposal will be repeated twice -- "
811 "once for each method)."),
812 ValueMap { "0", "1", "2", "3", "4", "5", "6" },
813 Values {"Any", "Preshared", "DSS_Signatures",
814 "RSA_Signatures", "RSA_Encryption", "Revised_RSA_Encryption",
815 "Kerberos" } ]
816 uint16 AuthenticationMethod;
817
818 [Description ("MaxLifetimeSeconds specifies the maximum time "
819 "the IKE message sender proposes for an SA to be considered "
820 karl 1.1 "valid after it has been created."), Units("Seconds") ]
821 uint32 MaxLifetimeSeconds;
822
823 [Description ("MaxLifetimeKilobytes specifies the maximum "
824 "kilobyte lifetime the IKE message sender proposes for an SA "
825 "to be considered valid after it has been created. Each "
826 "proposal may use a different lifetime based upon the "
827 "strength of the encryption algorithm.") ]
828 uint32 MaxLifetimeKilobytes;
829 };
830
831 // ==================================================================
832 // IPsecProposal
833 // ==================================================================
834 [Description ("IPsecProposal aggregates the transform list "
835 "that specify the phase 2 negotiation proposals for "
836 "transform parameters.") ]
837
838 class CIM_IPsecProposal : CIM_SAProposal
839 {
840 };
841 karl 1.1
842 // ==================================================================
843 // IKEService
844 // ==================================================================
845 [Description (
846 "Derived from NetworkService, IKEService represents the "
847 "functions performed during IKE phase 1 and phase 2 "
848 "negotiations. An IKEService instance provides services "
849 "for IPProtocolEndpoints on a System.") ]
850
851 class CIM_IKEService: CIM_NetworkService
852 {
853 };
854
855 // ==================================================================
856 // PeerGateway
857 // ==================================================================
858 [Description ("PeerGateway identifies a security gateway with "
859 "which an IKE Service negotiates.") ]
860
861 class CIM_PeerGateway: CIM_LogicalElement
862 karl 1.1 {
863 [Propagated ("CIM_System.CreationClassName"), Key,
864 MaxLen (256), Description (
865 "The scoping System's CreationClassName. ") ]
866 string SystemCreationClassName;
867
868 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
869 Description ("The scoping System's Name.") ]
870 string SystemName;
871
872 [Key, MaxLen (256), Description (
873 "CreationClassName indicates the name of the class or the "
874 "subclass used in the creation of an instance. When used "
875 "with the other key properties of this class, this property "
876 "allows all instances of this class and its subclasses to "
877 "be uniquely identified." ) ]
878 string CreationClassName;
879
880 [Override ("Name"), Key, MaxLen (256),
881 Description (
882 "The Name property uniquely identifies the PeerGateway "
883 karl 1.1 "instance.") ]
884 string Name;
885
886 [Description ("The PeerIdentityType specifies the type of the "
887 "Peer's IKE Identity."),
888 ValueMap
889 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
890 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
891 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
892 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
893 ModelCorrespondence {"CIM_PeerGateway.PeerIdentity"}]
894 uint16 PeerIdentityType;
895
896 [Description ("PeerIdentity contains a string encoding of the "
897 "Identity payload for the security gateway."),
898 ModelCorrespondence {"CIM_PeerGateway.PeerIdentityType"}]
899 string PeerIdentity;
900 };
901
902 // ==================================================================
903 // PeerIdentityTable
904 karl 1.1 // ==================================================================
905 [Description ("PeerIdentityTable aggregates table entries "
906 "that provide mappings between identities and their "
907 "addresses.") ]
908
909 class CIM_PeerIdentityTable: CIM_Collection
910 {
911 [Propagated ("CIM_System.CreationClassName"), Key,
912 MaxLen (256), Description (
913 "The scoping System's CreationClassName. ") ]
914 string SystemCreationClassName;
915
916 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
917 Description ("The scoping System's Name.") ]
918 string SystemName;
919
920 [Key, MaxLen (256), Description (
921 "CreationClassName indicates the name of the class or the "
922 "subclass used in the creation of an instance. When used "
923 "with the other key properties of this class, this property "
924 "allows all instances of this class and its subclasses to "
925 karl 1.1 "be uniquely identified." ) ]
926 string CreationClassName;
927
928 [Key, MaxLen (256), Description ("The Name property uniquely "
929 "identifies the PeerIdentityTable." ) ]
930 string Name;
931 };
932
933 // ==================================================================
934 // PeerIdentityEntry
935 // ==================================================================
936 [Description ("A PeerIdentityEntry in a PeerIdentityTable "
937 "provides the mappings between peer's addresses and "
938 "identities." ) ]
939
940 class CIM_PeerIdentityEntry: CIM_LogicalElement
941 {
942 [Propagated ("CIM_System.CreationClassName" ), Key,
943 MaxLen (256), Description (
944 "The scoping System's CreationClassName. " ) ]
945 string SystemCreationClassName;
946 karl 1.1
947 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
948 Description ("The scoping System's Name." ) ]
949 string SystemName;
950
951 [Propagated ("CIM_PeerIdentityTable.CreationClassName"), Key,
952 MaxLen (256), Description (
953 "The scoping PeerIdentityTable CreationClassName.") ]
954 string TableCreationClassName;
955
956 [Propagated ("CIM_PeerIdentityTable.Name"), Key,
957 MaxLen (256), Description (
958 "The scoping PeerIdentityTable Name." ) ]
959 string TableName;
960
961 [Key, MaxLen (256), Description (
962 "CreationClassName indicates the name of the class or the "
963 "subclass used in the creation of an instance. When used "
964 "with the other key properties of this class, this property "
965 "allows all instances of this class and its subclasses to "
966 "be uniquely identified.") ]
967 karl 1.1 string CreationClassName;
968
969 [Key, Description ("The PeerIdentityType specifies the type "
970 "of the Peer's IKE Identity."),
971 ValueMap
972 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
973 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
974 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
975 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
976 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentity"}]
977 uint16 PeerIdentityType;
978
979 [Key, Description ("PeerIdentity contains a string encoding "
980 "of the Identity payload for the security gateway."),
981 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentityType"}]
982 string PeerIdentity;
983
984 [Key, Description (
985 "An enumeration that describes the format of the PeerAddress "
986 "property. Addresses that can be formatted in IPv4 format, "
987 "must be formatted that way to ensure mixed IPv4/IPv6 "
988 karl 1.1 "support."),
989 ValueMap { "0", "1", "2" },
990 Values { "Unknown", "IPv4", "IPv6" },
991 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddress"}]
992 uint16 PeerAddressType;
993
994 [Key, Description (
995 "The IP address that this ProtocolEndpoint represents, "
996 "formatted according to the appropriate convention as "
997 "defined in the AddressType property of this class "
998 "(e.g., 171.79.6.40)."),
999 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddressType"}]
1000 string PeerAddress;
1001 };
1002
1003 // ==================================================================
1004 // IPsecProtectionSuite
1005 // ==================================================================
1006 [Description ("IPsecProtectionSuite represents the collection "
1007 "of SAs negotiated as a set by IKE. A protection suite may "
1008 "consist of up to 6 individual SAs (incoming and outgoing "
1009 karl 1.1 "SAs for AH, ESP, and IPCOMP)") ]
1010
1011 class CIM_IPsecProtectionSuite : CIM_Collection
1012 {
1013 [Key, MaxLen (256), Description (
1014 "CreationClassName indicates the name of the class or the "
1015 "subclass used in the creation of an instance. When used "
1016 "with the other key properties of this class, this property "
1017 "allows all instances of this class and its subclasses to "
1018 "be uniquely identified.") ]
1019
1020 string CreationClassName;
1021 [Key, MaxLen (256), Description (
1022 "The Name property uniquely identifies the Service and "
1023 "provides an indication of the functionality that is "
1024 "managed. This functionality is described in more detail in "
1025 "the object's Description property. ") ]
1026 string Name;
1027
1028 [Propagated ("CIM_System.CreationClassName"), Key,
1029 MaxLen (256), Description (
1030 karl 1.1 "The scoping System's CreationClassName. ") ]
1031 string SystemCreationClassName;
1032
1033 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
1034 Description ("The scoping System's Name.") ]
1035 string SystemName;
1036
1037 [Propagated ("CIM_IPProtocolEndpoint.CreationClassName"), Key,
1038 MaxLen (256), Description (
1039 "The scoping IPProtocolEndpoint's CreationClassName. ") ]
1040 string SAPCreationClassName;
1041
1042 [Propagated ("CIM_IPProtocolEndpoint.Name"), Key,
1043 MaxLen (256), Description (
1044 "The scoping IPProtocolEndpoint's Name.") ]
1045 string SAPName;
1046 };
1047
1048 // ==================================================================
1049 // IKEIdentity
1050 // ==================================================================
1051 karl 1.1 [Description ("IKEIdentity is used to represent the "
1052 "identities that may be used for an IPProtocolEndpoint (or "
1053 "collection of IPProtocolEndpoints) to identify itself in "
1054 "IKE phase 1 negotiations. The policy "
1055 "IKEAction.UseIKEIdentityType specifies which type of the "
1056 "available identities to use in a negotiation exchange and "
1057 "the IKERule.IdentityContexts specifies the match values to "
1058 "be used, along with the local address, to be used in "
1059 "selecting the appropriate identity for a negotiation. The "
1060 "ElementID property value should be that of either the "
1061 "IPProtocolEndpoint or Collection of endpoints as "
1062 "appropriate.") ]
1063
1064 class CIM_IKEIdentity : CIM_UsersAccess
1065 {
1066 [Description ("The IdentityType specifies the type of IKE "
1067 "Identity."),
1068 ValueMap
1069 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
1070 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
1071 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
1072 karl 1.1 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
1073 ModelCorrespondence {"CIM_IKEAction.UseIKEIdentity",
1074 "CIM_IKEIdentity.IdentityValue"}]
1075 uint16 IdentityType;
1076
1077 [Description ("IdentityValue contains a string encoding of "
1078 "the Identity payload. For IKEIdentity instances that are "
1079 "address types, the IdentityValue string value may be "
1080 "omitted and the associated IPProtocolEndpoint or "
1081 "appropriate member of the Collection of endpoints is used."),
1082 ModelCorrespondence {"CIM_IKEIdentity.IdentityType"}]
1083 string IdentityValue;
1084
1085 [Description (
1086 "The IdentityContexts property is used to constrain the use "
1087 "of IKEIdentity instances to match that specified in the "
1088 "IKERule.IdentityContexts. The IdentityContexts are "
1089 "formatted as policy roles and role combinations. Each "
1090 "value represents one context or context combination. Since "
1091 "this is a multi-valued property, more than one context or "
1092 "combination of contexts can be associated with a single "
1093 karl 1.1 "IKEIdentity. Each value is a string of the form:\n"
1094 " <ContextName>[&&<ContextName>]*\n"
1095 "where the individual context names appear in alphabetical "
1096 "order (according to the collating sequence for UCS-2). "
1097 "If one or more values in the IKERule.IdentityContexts array "
1098 "match one or more IKEIdentity.IdentityContexts then the "
1099 "identity's context matches. (That is, each value of the "
1100 "IdentityContext array is an ORed condition.) In "
1101 "combination with the address of the IPProtocolEndpoint and "
1102 "IKEAction.UseIKEIdentityType, there should be 1 and only 1 "
1103 "IKEIdentity." ),
1104 ModelCorrespondence {"CIM_IKERule.IdentityContexts" } ]
1105 string IdentityContexts [];
1106 };
1107
1108 // ==================================================================
1109 // SecurityAssociation
1110 // ==================================================================
1111 [Description ("SecurityAssociation is a base class for the "
1112 "various types of security associations.") ]
1113
1114 karl 1.1 class CIM_SecurityAssociation : CIM_ProtocolEndpoint
1115 {
1116 [Description (
1117 "TimeOfCreation records when the SA was created")]
1118 datetime TimeOfCreation;
1119
1120 [Description ("LifetimeSeconds specifies the maximum time SA "
1121 "will be considered valid after it has been created."),
1122 Units("Seconds") ]
1123 uint32 LifetimeSeconds;
1124
1125 [Description ("RefreshThresholdSeconds is the lifetime "
1126 "percentage at which IKE should automatically attempt to "
1127 "acquire a new SA before the existing SA expires. A random "
1128 "period may be added to a calculated threshold to reduce "
1129 "network thrashing.")]
1130 uint8 RefreshThresholdSeconds;
1131
1132 [Description ("LastAccessed enables deletion if SA is idle "
1133 "too long.")]
1134 datetime LastAccessed;
1135 karl 1.1
1136 [Description ("IdleDurationSeconds specifies how long the SA "
1137 "can be idle before it is deleted. The default value, 0, "
1138 "indicates that there is no idle time out period."),
1139 Units("Seconds")]
1140 uint32 IdleDurationSeconds;
1141
1142 [Description ("How many bytes have been protected by this SA")]
1143 uint32 ByteCount;
1144 [Description ("LifetimeKilobytes specifies the maximum number "
1145 "of kilobytes of data traffic to be protected by the SA. It "
1146 "is deleted SA if LifetimeKilobyte value is exceeded.")]
1147 uint32 LifetimeKilobytes;
1148
1149 [Description ("RefreshThresholdKilobytes is the ByteCount "
1150 "value, expressed as a percentage of the LifetimeKilobytes, "
1151 "at which IKE should begin to renegotiate a new SA. A "
1152 "random value may be added to the calculated threshold to "
1153 "reduce network thrashing.")]
1154 uint8 RefreshThresholdKilobytes;
1155
1156 karl 1.1 [Description (
1157 "DoPacketLogging causes a log to be kept of traffic "
1158 "processed by the SA." )]
1159 boolean DoPacketLogging;
1160 };
1161
1162 // ==================================================================
1163 // IKESecurityAssociation
1164 // ==================================================================
1165 [Description ("IKESecurityAssociation is the SA used by IKE "
1166 "to protect key negotiation traffic.") ]
1167
1168 class CIM_IKESecurityAssociation : CIM_SecurityAssociation
1169 {
1170 [Description ("Identifier of the IKE phase 1 negotiation "
1171 "initiator. Combined with the ResponderCookie, this value,"
1172 "in string form, may be used to construct the value of the "
1173 "key field 'Name'." ) ]
1174 uint64 InitiatorCookie;
1175
1176 [Description ("Identifier of the IKE phase 1 negotiation "
1177 karl 1.1 "responder. Combined with the InitiatorCookie, this value,"
1178 "in string form, may be used to construct the value of the "
1179 "key field 'Name'." ) ]
1180 uint64 ResponderCookie;
1181
1182 [Description ("How many phase 2 derived keys have been "
1183 "negotiated with this SA." ) ]
1184 uint32 DerivedKeyCount;
1185
1186 [Description ("Delete SA if more than LiftetimeDerivedKeys "
1187 "phase 2 keys derived. A zero value indicates that there is"
1188 "no limit to the number of phase 2 derived keys." ) ]
1189 uint32 LifetimeDerivedKeys;
1190
1191 [Description ("Percentage of LifetimeDerivedKeys at which "
1192 "SA should be refreshed." ) ]
1193 uint8 RefreshThresholdDerivedKeys;
1194
1195 [Description ("CipherAlgorithm is an enumeration that "
1196 "specifies the proposed encryption algorithm."),
1197 ValueMap { "1", "2", "3", "4", "5", "6" },
1198 karl 1.1 Values
1199 {"DES", "IDEA", "Blowfish", "RC5", "3DES", "CAST"}]
1200 uint16 CipherAlgorithm;
1201
1202 [Description ("HashAlgorithm is an enumeration that specifies "
1203 "the proposed hash function."),
1204 ValueMap {"1", "2", "3"},
1205 Values {"MD5", "SHA-1", "Tiger" } ]
1206 uint16 HashAlgorithm;
1207
1208 [Description ("GroupId specifies the key exchange group ID. "
1209 "If the GroupID number is from the vendor-specific range "
1210 "(32768-65535), the VendorID qualifies the group number. "
1211 "Well-known group identifiers from RFC2412 are:\n"
1212 "1='DH768', 2='DH1024', 3='ECC2N155', 4='ECC2N185', and "
1213 "5='DH1536'"),
1214 ModelCorrespondence {"CIM_IKESecurityAssociation.VendorID"}]
1215 uint16 GroupId;
1216
1217 [Description ("VendorID identifies the vendor ID for "
1218 "vendor-defined algorithms."),
1219 karl 1.1 ModelCorrespondence {"CIM_IKESecurityAssociation.GroupId"}]
1220 string VendorID;
1221 };
1222
1223
1224 // ==================================================================
1225 // IPsecSecurityAssociation
1226 // ==================================================================
1227 [Description ("IPsecSecurityAssociation is used to represent "
1228 "both negotiated and static SAs that correspond to AH, ESP, "
1229 "or IPCOMP.") ]
1230
1231 class CIM_IPsecSecurityAssociation : CIM_SecurityAssociation
1232 {
1233 [Description ("SPI contains the Security Parameter Index of "
1234 "the SA. This value in string form may also be used in "
1235 "the key field 'Name' inherited from ServiceAccessPoint. ")]
1236 uint32 SPI;
1237
1238 [Description ("EncapsulationMode indicates whether the "
1239 "security association is for a transport or tunnel "
1240 karl 1.1 "encapsulation mode."),
1241 ValueMap {"1", "2"},
1242 Values {"Tunnel", "Transport"}]
1243 uint16 EncapsulationMode;
1244 };
1245
1246 // ==================================================================
1247 // DiscardSecurityAssociation
1248 // ==================================================================
1249 [Description ("DiscardSecurityAssociation is the SA type that "
1250 "causes packets to be dropped.") ]
1251
1252 class CIM_DiscardSecurityAssociation: CIM_SecurityAssociation
1253 {
1254 };
1255 // ==================================================================
1256 // BypassSecurityAssociation
1257 // ==================================================================
1258 [Description ("BypassSecurityAssociation is the SA type that "
1259 "causes packets to be sent in the clear.") ]
1260
1261 karl 1.1 class CIM_BypassSecurityAssociation: CIM_SecurityAssociation
1262 {
1263 };
1264
1265 // ==================================================================
1266 // AutostartIKEConfiguration
1267 // ==================================================================
1268 [Description ("AutostartIKEConfiguration object allows the "
1269 "grouping of sets of AutostartIKESetting instances.") ]
1270 class CIM_AutostartIKEConfiguration : CIM_SystemConfiguration
1271 {
1272 };
1273
1274 // ==================================================================
1275 // AutostartIKESetting
1276 // ==================================================================
1277 [Description ("AutostartIKESetting instances are used to "
1278 "automatically initiate IKE negotiations with peers as "
1279 "described in AutostartIKESetting properties. IKE "
1280 "negotiations are initiated according to the policy that "
1281 "matches the setting parameters.") ]
1282 karl 1.1 class CIM_AutostartIKESetting : CIM_SystemSetting
1283 {
1284 [Description (
1285 "Phase1Only is used to limit the IKE negotiation to just "
1286 "setting up a phase 1 security association. When set to "
1287 "False, both phase 1 and 2 negotiations are initiated.") ]
1288 boolean Phase1Only;
1289 [Description (
1290 "An enumeration that describes the format of the source and "
1291 "destination address properties."),
1292 ValueMap { "0", "1", "2" },
1293 Values { "Unknown", "IPv4", "IPv6" },
1294 ModelCorrespondence {"CIM_AutostartIKESetting.SourceAddress",
1295 "CIM_AutostartIKESetting.DestinationAddress"}]
1296 uint16 AddressType;
1297 [Description (
1298 "The dotted-decimal or colon-decimal formatted IP address "
1299 "used as the source address in comparing with policy "
1300 "filter entries and used in any phase 2 negotiations."),
1301 ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]
1302 string SourceAddress;
1303 karl 1.1 [Description (
1304 "The port number used as the source port in comparing "
1305 "with policy filter entries and used in any phase "
1306 "2 negotiations.")]
1307 uint16 SourcePort;
1308 [Description (
1309 "The dotted-decimal or colon-decimal formatted IP address "
1310 "used as the destination address in comparing with policy "
1311 "filter entries and used in any phase 2 negotiations."),
1312 ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]
1313 string DestinationAddress;
1314 [Description (
1315 "The port number used as the destination port in comparing "
1316 "with policy filter entries and used in any phase 2 "
1317 "negotiations.")]
1318 uint16 DestinationPort;
1319 [Description (
1320 "The protocol number used in comparing with policy filter "
1321 "entries and used in any phase 2 negotiations.")]
1322 uint8 Protocol;
1323 };
1324 karl 1.1
1325
1326 /////////////////////////////////////////////////////////////////////
1327 //*******************************************************************
1328 // Associations
1329 //*******************************************************************
1330 /////////////////////////////////////////////////////////////////////
1331
1332 // ==================================================================
1333 // SAConditionInRule
1334 // ==================================================================
1335 [ Association, Aggregation, Description (
1336 "SAConditionInRule aggregates an SARule with the set of "
1337 "SACondition instances that trigger it.") ]
1338
1339 class CIM_SAConditionInRule : CIM_PolicyConditionInPolicyRule
1340 {
1341 [Aggregate, Override ("GroupComponent"), Description (
1342 "An SARule subclass of PolicyRule." ) ]
1343 CIM_SARule REF GroupComponent;
1344
1345 karl 1.1 [Override ("PartComponent"), Min(1), Description (
1346 "An SACondition subclass of PolicyCondition. " ) ]
1347 CIM_SACondition REF PartComponent;
1348 };
1349
1350 // ==================================================================
1351 // FilterOfSACondition
1352 // ==================================================================
1353 [ Association, Description (
1354 "FilterOfSACondition associates a network traffic "
1355 "specification (FilterList) with a SARule's SACondition." ) ]
1356
1357 class CIM_FilterOfSACondition : CIM_Dependency
1358 {
1359 [Override ("Antecedent"), Min(1), Max(1), Description (
1360 "A FilterList describes the traffic that will specify the "
1361 "traffic to be filtered that is part of the SACondition of "
1362 "a policy rule. " ) ]
1363 CIM_FilterList REF Antecedent;
1364
1365 [Override ("Dependent"), Description (
1366 karl 1.1 "This is the SACondition that uses this FilterList to form "
1367 "a policy rule. " ) ]
1368 CIM_SACondition REF Dependent;
1369 };
1370
1371 // ==================================================================
1372 // AcceptCredentialsFrom
1373 // ==================================================================
1374 [Association, Description (
1375 "This is used to specify which credential management service "
1376 "(e.g., a CertificateAuthority or a Kerberos service) is to "
1377 "be trusted to certify peer credentials. This is used to "
1378 "validate that the credential being matched in the "
1379 "CredentialFilterEntry is a valid credential that has been "
1380 "supplied by an approved CredentialManagementService. " ) ]
1381
1382 class CIM_AcceptCredentialsFrom : CIM_Dependency
1383 {
1384 [Override ("Antecedent"),
1385 Description ("The CredentialManagementService that is issuing "
1386 "the credential to be used in the SACondition. " ) ]
1387 karl 1.1 CIM_CredentialManagementService REF Antecedent;
1388
1389 [Override ("Dependent"),
1390 Description ("The SACondition that contains the credential. " ) ]
1391 CIM_SACondition REF Dependent;
1392 };
1393
1394 // ==================================================================
1395 // SAActionInRule
1396 // ==================================================================
1397 [Association, Aggregation, Description (
1398 "SAActionInRule aggregates SAActions into SARules. " ) ]
1399
1400 class CIM_SAActionInRule : CIM_PolicyActionInPolicyRule
1401 {
1402 [Aggregate, Override ("GroupComponent"), Description (
1403 "An SARule that contains one or more SAActions. " ) ]
1404 CIM_SARule REF GroupComponent;
1405
1406 [Override ("PartComponent"), Min(1), Description (
1407 "An SAAction subclass of PolicyAction which is aggregated "
1408 karl 1.1 "into this SARule. " ) ]
1409 CIM_SAAction REF PartComponent;
1410
1411 [Override ("ActionOrder"), Description (
1412 "ActionOrder is an unsigned integer 'n' that indicates "
1413 "the relative position of this SAAction in the "
1414 "sequence of actions associated with a PolicyRule. "
1415 "When 'n' is a positive integer, it indicates a place "
1416 "in the sequence of actions to be performed, with "
1417 "smaller integers indicating earlier positions in the "
1418 "sequence.\n\n"
1419 "Note that this property is inherited from its parent "
1420 "aggregation but overridden for two reasons. First, "
1421 "the parent aggregation allows for two policy rules "
1422 "to have the same action order. This is NOT allowed "
1423 "in IPsec (e.g., there MUST be a deterministic order "
1424 "that is followed). Second, this override enables "
1425 "IPsec consumers to add specific semantics of the "
1426 "action order in their implementations. " ) ]
1427 uint16 ActionOrder;
1428 };
1429 karl 1.1
1430 // ==================================================================
1431 // IPsecPolicyGroupInPolicyGroup
1432 // ==================================================================
1433 [Association, Aggregation, Description (
1434 "IPsecPolicyGroupInPolicyGroup is a recursive aggregation "
1435 "that enables a nested hierarchy of IPsecPolicyGroups to be "
1436 "defined. This enables multiple policies to be merged into a "
1437 "single policy that contains the rules of its constituent "
1438 "policies. When merging policies, rule priorities are used to "
1439 "provide a deterministic rule execution strategy. \n\n"
1440 "The aggregating IPsecPolicyGroup is intended to contain only "
1441 "other IPsecPolicyGroup instances, while the leaf "
1442 "IPsecPolicyGroup instances are intended to only contain IKE "
1443 "and/or IPsec SARules. " ) ]
1444
1445 class CIM_IPsecPolicyGroupInPolicyGroup : CIM_PolicyGroupInPolicyGroup
1446 {
1447 [Aggregate, Override("GroupComponent"), Description (
1448 "A policy group that aggregates other policy groups.") ]
1449 CIM_IPsecPolicyGroup REF GroupComponent;
1450 karl 1.1
1451 [Override("PartComponent"), Description (
1452 "A policy group aggregated by another policy group.") ]
1453 CIM_IPsecPolicyGroup REF PartComponent;
1454
1455 [Description (
1456 "GroupPriority indicates the ordering to be used "
1457 "when integrating multiple policy groups. Policy groups with "
1458 "lower numbers take precedence over those with higher numbers "
1459 "(i.e., policy 1 has highest precedence).")]
1460 uint16 GroupPriority;
1461 };
1462
1463 // ==================================================================
1464 // IPsecPolicyForSystem
1465 // ==================================================================
1466 [Association, Description (
1467 "IPsecPolicyForSystem associates an IPsec policy with a "
1468 "specific system (e.g., a host or a network device. " ) ]
1469
1470 class CIM_IPsecPolicyForSystem : CIM_Dependency
1471 karl 1.1 {
1472 [Override ("Antecedent"), Min(1), Max(1),
1473 Description ("The System that hosts this IPsecPolicyGroup. " ) ]
1474 CIM_System REF Antecedent;
1475
1476 [Override ("Dependent"), Min(0), Max(1),
1477 Description ("The IPsecPolicyGroup, which contains a set of "
1478 "policies, that are to be applied to the System.") ]
1479 CIM_IPsecPolicyGroup REF Dependent;
1480 };
1481
1482 // ==================================================================
1483 // IPsecPolicyForEndpoint
1484 // ==================================================================
1485 [Association, Description (
1486 "IPsecPolicyForEndpoint associates an IPsecPolicyGroup "
1487 "with a specific network interface.") ]
1488
1489 class CIM_IPsecPolicyForEndpoint : CIM_Dependency
1490 {
1491 [Override ("Antecedent"), Description (
1492 karl 1.1 "The IPProtocolEndpoint that identifies an interface "
1493 "to which the IPsecPolicyGroup applies.") ]
1494 CIM_IPProtocolEndpoint REF Antecedent;
1495
1496 [Override ("Dependent"), Min (0), Max (1), Description (
1497 "IPsecPolicyGroup used for the interface.") ]
1498 CIM_IPsecPolicyGroup REF Dependent;
1499 };
1500
1501 // ==================================================================
1502 // RuleForIPsecNegotiation
1503 // ==================================================================
1504 [Association, Aggregation, Description (
1505 "RuleForIPsecNegotiation associates an IPsecRule with the "
1506 "IPsecPolicyGroup that contains it. This is used to contain "
1507 "the phase 2 rules to control IKE negotiation. \n\n"
1508 "ContainingGroup is restricted to a cardinality of 1. This "
1509 "means that the IPsecRule instances are not sharable across "
1510 "multiple policy groups. " ) ]
1511
1512 class CIM_RuleForIPsecNegotiation : CIM_PolicyRuleInPolicyGroup
1513 karl 1.1 {
1514 [Aggregate, Override ("GroupComponent"), Min(1), Max(1),
1515 Description (
1516 "An IPsecPolicyGroup that aggregates a set of policy rules. " ) ]
1517 CIM_IPsecPolicyGroup REF GroupComponent;
1518
1519 [Override ("PartComponent"), Description (
1520 "A policy rule aggregated into a set of policy rules, "
1521 "forming an atomic policy group. " ) ]
1522 CIM_IPsecRule REF PartComponent;
1523 };
1524
1525
1526 // ==================================================================
1527 // RuleForIKENegotiation
1528 // ==================================================================
1529 [ Association, Aggregation, Description (
1530 "RuleForIKENegotiation associates an IKERule with the "
1531 "IPsecPolicyGroup that contains it. This is used to control "
1532 "phase 1 IKE negotiation. \n\n"
1533 "ContainingGroup is restricted to a cardinality of 1. This "
1534 karl 1.1 "means that the IKERule instances are not sharable across "
1535 "multiple policy groups. " ) ]
1536
1537 class CIM_RuleForIKENegotiation : CIM_PolicyRuleInPolicyGroup
1538 {
1539 [Aggregate, Override ("GroupComponent"), Min(1), Max(1),
1540 Description (
1541 "An IPsecPolicyGroup that aggregates a set of policy rules. " ) ]
1542 CIM_IPsecPolicyGroup REF GroupComponent;
1543
1544 [Override ("PartComponent"), Description (
1545 "A policy rule aggregated into a set of policy rules, "
1546 "forming an atomic policy group. " ) ]
1547 CIM_IKERule REF PartComponent;
1548 };
1549
1550 // ==================================================================
1551 // ContainedProposal
1552 // ==================================================================
1553 [Association, Aggregation, Description (
1554 "ContainedProposal holds the ordered list of SA proposals "
1555 karl 1.1 "for a SANegotiationAction. " ) ]
1556
1557 class CIM_ContainedProposal: CIM_PolicyComponent
1558 {
1559 [Aggregate, Override ("GroupComponent"), Description (
1560 "SANegotiationAction for this list of proposals. " ) ]
1561 CIM_SANegotiationAction REF GroupComponent;
1562
1563 [Override ("PartComponent"), Description (
1564 "SAProposal in this action. " ) ]
1565 CIM_SAProposal REF PartComponent;
1566
1567 [Description (
1568 "SequenceNumber indicates the ordering to be used when "
1569 "chosing from among the proposals; lower values are "
1570 "preferred by the sender. " ) ]
1571 uint16 SequenceNumber;
1572 };
1573
1574 // ==================================================================
1575 // FilterOfSecurityAssociation
1576 karl 1.1 // ==================================================================
1577 [Association, Description (
1578 "FilterOfSecurityAssociation associates a network traffic "
1579 "specification (i.e., a FilterList) with a set of "
1580 "SecurityAssociations to which the filter list applies. " ) ]
1581
1582 class CIM_FilterOfSecurityAssociation : CIM_Dependency
1583 {
1584 [Override ("Antecedent"), Min(1), Max(1), Description (
1585 "FilterList describing the traffic to be matched against. " ) ]
1586 CIM_FilterList REF Antecedent;
1587
1588 [Override ("Dependent"), Description (
1589 "SecurityAssociation using the FilterList for its selector. " ) ]
1590 CIM_SecurityAssociation REF Dependent;
1591 };
1592
1593 // ==================================================================
1594 // IKEUsesCredentialManagementService
1595 // ==================================================================
1596 [Association, Description (
1597 karl 1.1 "IKEUsesCredentialManagementService defines the set of "
1598 "CredentialManagementService(s) that are trusted sources "
1599 "of credentials for IKE phase 1 negotiations. " ) ]
1600
1601 class CIM_IKEUsesCredentialManagementService : CIM_Dependency
1602 {
1603 [Override ("Antecedent"), Description (
1604 "CredentialManagementService trusted for the IKE "
1605 "negotiation.") ]
1606 CIM_CredentialManagementService REF Antecedent;
1607
1608 [Override ("Dependent"),
1609 Description (
1610 "IKEService that is using the credentials issued by the "
1611 "trusted CredentialManagementService. " ) ]
1612 CIM_IKEService REF Dependent;
1613 };
1614
1615 // ==================================================================
1616 // TransformOfPreconfiguredAction
1617 // ==================================================================
1618 karl 1.1 [ Association, Description (
1619 "TransformOfPreconfiguredAction defines the transforms used "
1620 "by a preconfigured IPsec action.") ]
1621
1622 class CIM_TransformOfPreconfiguredAction : CIM_Dependency
1623 {
1624 [Override ("Antecedent"), Min(1), Max(3),
1625 Description (
1626 "This defines the type of transform that the Preconfigured "
1627 "SA Action will be applied to. The cardinality enables an "
1628 "action to be applied to an AH, an ESP, or an IPCOMP "
1629 "transform. " ) ]
1630 CIM_SATransform REF Antecedent;
1631
1632 [Override ("Dependent"),
1633 Description (
1634 "This defines the Preconfigured IPsec action to be applied "
1635 "to the AH, ESP, or IPCOMP transform. " ) ]
1636 CIM_PreconfiguredSAAction REF Dependent;
1637 };
1638
1639 karl 1.1 // ==================================================================
1640 // SAProposalInPolicyRepository
1641 // ==================================================================
1642 [Association, Description (
1643 "SAProposalInPolicyRepository provides the scoping "
1644 "relationship for SAProposals in a PolicyRepository. "
1645 "The SAProposal is weak to the PolicyRepository." ) ]
1646
1647 class CIM_SAProposalInPolicyRepository : CIM_PolicyInSystem
1648 {
1649 [Override ("Antecedent"), Min (1), Max (1), Description (
1650 "This property identifies a PolicyRepository "
1651 "scoping one or more proposals.") ]
1652 CIM_PolicyRepository REF Antecedent;
1653
1654 [Override ("Dependent"), Weak, Description (
1655 "An SAProposal that is in the PolicyRepository.")]
1656 CIM_SAProposal REF Dependent;
1657 };
1658
1659 // ==================================================================
1660 karl 1.1 // SATransformInPolicyRepository
1661 // ==================================================================
1662 [Association, Description (
1663 "SATransformInPolicyRepository provides the scoping "
1664 "relationship for SATRansforms in a PolicyRepository. "
1665 "The SATransform is weak to the PolicyRepository." ) ]
1666
1667 class CIM_SATransformInPolicyRepository : CIM_PolicyInSystem
1668 {
1669 [Override ("Antecedent"), Min (1), Max (1), Description (
1670 "This property identifies a PolicyRepository "
1671 "scoping one or more transforms.") ]
1672 CIM_PolicyRepository REF Antecedent;
1673
1674 [Override ("Dependent"), Weak, Description (
1675 "An SATransform that is in the PolicyRepository.")]
1676 CIM_SATransform REF Dependent;
1677 };
1678
1679 // ==================================================================
1680 // HostedPeerIdentityTable
1681 karl 1.1 // ==================================================================
1682 [Association, Description ("HostedPeerIdentityTable provides the "
1683 "scoping relationship for PeerIdentityTable entries in a "
1684 "System. The PeerIdentityTable is weak to the System." ) ]
1685
1686 class CIM_HostedPeerIdentityTable: CIM_Dependency
1687 {
1688 [Override ("Antecedent"), Min (1), Max (1), Description (
1689 "This property identifies a System scoping one or more "
1690 "PeerIdentityTable instances.") ]
1691 CIM_System REF Antecedent;
1692
1693 [Override ("Dependent"), Weak, Description (
1694 "A PeerIdentityTable that is in the System.")]
1695 CIM_PeerIdentityTable REF Dependent;
1696 };
1697
1698 // ==================================================================
1699 // RuleThatGeneratedSA
1700 // ==================================================================
1701 [Association, Description (
1702 karl 1.1 "RuleThatGeneratedSA associates a SecurityAssociation with "
1703 "the rule used to generate (or negotiate) it.") ]
1704
1705 class CIM_RuleThatGeneratedSA : CIM_Dependency
1706 {
1707 [Override ("Antecedent"), Min (0), Max (1),
1708 Description ("SARule that led to the SecurityAssociation.") ]
1709 CIM_SARule REF Antecedent;
1710
1711 [Override ("Dependent"),
1712 Description ("SecurityAssociation created using the rule.") ]
1713 CIM_SecurityAssociation REF Dependent;
1714 };
1715
1716 // ==================================================================
1717 // TransformOfSecurityAssociation
1718 // ==================================================================
1719 [Association, Description (
1720 "TransformOfSecurityAssociation maps an SA with the transform "
1721 "it uses. For security reasons, no keying material of the SA "
1722 "is exposed." ) ]
1723 karl 1.1
1724 class CIM_TransformOfSecurityAssociation : CIM_Dependency
1725 {
1726 [Override ("Antecedent"), Min (1), Max (1),
1727 Description ("Transform of this SA.") ]
1728 CIM_SATransform REF Antecedent;
1729
1730 [Override ("Dependent"),
1731 Description ("Security association.") ]
1732 CIM_IPsecSecurityAssociation REF Dependent;
1733 };
1734
1735 // ==================================================================
1736 // PeerGatewayOfSecurityAssociation
1737 // ==================================================================
1738 [Association, Description (
1739 "PeerGatewayOfSecurityAssociation identifies the PeerGateway "
1740 "of an SA that has a security gateway as the peer.") ]
1741
1742 class CIM_PeerGatewayOfSecurityAssociation : CIM_Dependency
1743 {
1744 karl 1.1 [Override ("Antecedent"), Max (1),
1745 Description ("PeerGateway for the SA.") ]
1746 CIM_PeerGateway REF Antecedent;
1747
1748 [Override ("Dependent"),
1749 Description ("Security association with the PeerGateway.") ]
1750 CIM_IPsecSecurityAssociation REF Dependent;
1751 };
1752
1753 // ==================================================================
1754 // IKEServicePeerGateway
1755 // ==================================================================
1756 [Association, Description (
1757 "IKEServicePeerGateway provides the relationship between an "
1758 "IKEService and the list of PeerGateway instances that it "
1759 "uses in negotiating with security gateways.") ]
1760
1761 class CIM_IKEServicePeerGateway : CIM_Dependency
1762 {
1763 [Override ("Antecedent"),
1764 Description ("The PeerGateway") ]
1765 karl 1.1 CIM_PeerGateway REF Antecedent;
1766
1767 [Override ("Dependent"), Description (
1768 "The IKEService that uses information about the "
1769 "peer gateway.") ]
1770 CIM_IKEService REF Dependent;
1771 };
1772
1773 // ==================================================================
1774 // IKEServiceForEndpoint
1775 // ==================================================================
1776 [Association, Description (
1777 "IKEServiceForEndpoint provides the relationship "
1778 "showing which IKE service, if any, provides IKE "
1779 "negotiation services for which network interfaces.") ]
1780
1781 class CIM_IKEServiceForEndpoint : CIM_Dependency
1782 {
1783 [Override ("Antecedent"), Max (1),
1784 Description ("The IKEService that performs IKE negotiation "
1785 "for the IPProtocolEndpoint.") ]
1786 karl 1.1 CIM_IKEService REF Antecedent;
1787
1788 [Override ("Dependent"),
1789 Description ("IPProtocolEndpoint for which services are "
1790 "provided.") ]
1791 CIM_IPProtocolEndpoint REF Dependent;
1792 };
1793
1794 // ==================================================================
1795 // IKEServicePeerIdentityTable
1796 // ==================================================================
1797 [Association, Description (
1798 "IKEServicePeerIdentityTable provides the relationship "
1799 "between an IKEService and a PeerIdentityTable that it "
1800 "uses to map between addresses and identities where "
1801 "required.") ]
1802
1803 class CIM_IKEServicePeerIdentityTable: CIM_Dependency
1804 {
1805 [Override ("Antecedent"),
1806 Description ("The PeerIdentityTable.") ]
1807 karl 1.1 CIM_PeerIdentityTable REF Antecedent;
1808
1809 [Override ("Dependent"),
1810 Description ("The IKEService that uses the table.") ]
1811 CIM_IKEService REF Dependent;
1812 };
1813
1814 // ==================================================================
1815 // IKESAUsedForPhase2
1816 // ==================================================================
1817 [Association, Description (
1818 "IKESAUsedForPhase2 associates a phase 1 "
1819 "IKESecurityAssociation with an "
1820 "IPsecSecurityAssociation that was negotiated using "
1821 "that Phase 1 SA.") ]
1822
1823 class CIM_IKESAUsedForPhase2 : CIM_Dependency
1824 {
1825 [Override ("Antecedent"), Max (1), Description (
1826 "Phase 1 SA that protected the negotiation of "
1827 "the Phase 2 SA.") ]
1828 karl 1.1 CIM_IKESecurityAssociation REF Antecedent;
1829
1830 [Override ("Dependent"), Description (
1831 "Phase 2 SA.") ]
1832 CIM_IPsecSecurityAssociation REF Dependent;
1833 };
1834
1835 // ==================================================================
1836 // PeerCredential
1837 // ==================================================================
1838 [Association, Description (
1839 "PeerCredential is an association that identifies the "
1840 "credential of the peer corresponding to an IKE SA.") ]
1841
1842 class CIM_PeerCredential : CIM_Dependency
1843 {
1844 [Override ("Antecedent"), Max (1),
1845 Description ("Credential of the peer.") ]
1846 CIM_Credential REF Antecedent;
1847
1848 [Override ("Dependent"),
1849 karl 1.1 Description ("Phase 1 SA for this peer.") ]
1850 CIM_IKESecurityAssociation REF Dependent;
1851 };
1852
1853 // ==================================================================
1854 // IPProtocolEndpointsProtectionSuite
1855 // ==================================================================
1856 [Association, Description (
1857 "IPProtocolEndpointsProtectionSuite provides the "
1858 "relationship between an IPsecProtectionSuite and the scoping "
1859 "IPProtocolEndpoint for which the set of related SAs provide "
1860 "traffic protection. The IPsecProtectionSuite is weak to its "
1861 "IPProtocolEndpoint.") ]
1862
1863 class CIM_IPProtocolEndpointsProtectionSuite: CIM_Dependency
1864 {
1865 [Override ("Antecedent"), Min (1), Max (1),
1866 Description (
1867 "An IPProtocolEndpoint for which protection is provided.") ]
1868 CIM_IPProtocolEndpoint REF Antecedent;
1869
1870 karl 1.1 [Override ("Dependent"), Weak, Description (
1871 "A protection suite.") ]
1872 CIM_IPsecProtectionSuite REF Dependent;
1873 };
1874
1875 // ==================================================================
1876 // SecurityAssociationBindsTo
1877 // ==================================================================
1878 [Association, Description (
1879 "SecurityAssociationBindsTo associates an IPProtocolEndpoint "
1880 "with an active SecurityAssociation on that endpoint.") ]
1881
1882 class CIM_SecurityAssociationBindsTo : CIM_BindsTo
1883 {
1884 [Override ("Antecedent"), Min (1), Max (1),
1885 Description (
1886 "IPProtocolEndpoint representing the network "
1887 "interface on which an SA is active." ) ]
1888 CIM_IPProtocolEndpoint REF Antecedent;
1889
1890 [Override ("Dependent"), Description (
1891 karl 1.1 "Security association on the endpoint." ) ]
1892 CIM_SecurityAssociation REF Dependent;
1893 };
1894
1895 // ==================================================================
1896 // ProvidesSA
1897 // ==================================================================
1898 [Association, Description (
1899 "ProvidesSA represents the relationship between an "
1900 "IKEService that provides the negotiation functions "
1901 "and manages the associated security association." ) ]
1902
1903 class CIM_ProvidesSA: CIM_ProvidesEndpoint
1904 {
1905 [Override ("Antecedent"), Max (1), Description (
1906 "The IKEService that provides the SA.")]
1907 CIM_IKEService REF Antecedent;
1908
1909 [Override ("Dependent"), Description (
1910 "Security association provided by the service.") ]
1911 CIM_SecurityAssociation REF Dependent;
1912 karl 1.1 };
1913
1914 // ==================================================================
1915 // IKEIdentitysCredential
1916 // ==================================================================
1917 [Association, Description (
1918 "IKEIdentitysCredential is an association that "
1919 "relates a set of credentials to their "
1920 "corresponding local IKE Identities." ) ]
1921
1922 class CIM_IKEIdentitysCredential : CIM_UsersCredential
1923 {
1924 [Override ("Antecedent"), Description (
1925 "Credential of the Identity.") ]
1926 CIM_Credential REF Antecedent;
1927
1928 [Override ("Dependent"), Description (
1929 "Identity associated with the credential.") ]
1930 CIM_IKEIdentity REF Dependent;
1931 };
1932
1933 karl 1.1 // ==================================================================
1934 // EndpointHasLocalIKEIdentity
1935 // ==================================================================
1936 [Association, Description (
1937 "EndpointHasLocalIKEIdentity associates an "
1938 "IPProtocolEndpoint with a set of IKE "
1939 "Identities for that may be used in negotiating "
1940 "SAs on the endpoint. " ) ]
1941
1942 class CIM_EndpointHasLocalIKEIdentity : CIM_ElementAsUser
1943 {
1944 [Override ("Antecedent"), Max (1), Description (
1945 "IPProtocolEndpoint that has an IKE identity.") ]
1946 CIM_IPProtocolEndpoint REF Antecedent;
1947
1948 [Override ("Dependent"), Description (
1949 "An IKE Identity for the endpoint.") ]
1950 CIM_IKEIdentity REF Dependent;
1951 };
1952
1953 // ==================================================================
1954 karl 1.1 // CollectionHasLocalIKEIdentity
1955 // ==================================================================
1956 [Association, Description (
1957 "CollectionHasLocalIKEIdentity associates a Collection "
1958 "of IPProtocolEndpoints with a set of IKE Identities "
1959 "that may be used in negotiating SAs for "
1960 "these endpoints.") ]
1961
1962 class CIM_CollectionHasLocalIKEIdentity : CIM_ElementAsUser
1963 {
1964 [Override ("Antecedent"), Max (1), Description (
1965 "Collection that has an Identity.") ]
1966 CIM_Collection REF Antecedent;
1967
1968 [Override ("Dependent"), Description (
1969 "IKE Identity used for the Collection.") ]
1970 CIM_IKEIdentity REF Dependent;
1971 };
1972
1973 // ==================================================================
1974 // ContainedTransform
1975 karl 1.1 // ==================================================================
1976 [Association, Aggregation, Description (
1977 "ContainedTransform associates a proposal with its set "
1978 "of transforms. If multiple transforms of a given type are "
1979 "in a given proposal, these transforms are interpreted as "
1980 "alternatives -- logically ORed with each other. Sets of "
1981 "transforms of different types are logically ANDed. For "
1982 "example, a proposal aggregating two AH transforms and three "
1983 "ESP transforms means one of the AH transforms must be chosen "
1984 "AND one of the ESP transforms must be chosen.") ]
1985
1986 class CIM_IPsecContainedTransform : CIM_PolicyComponent
1987 {
1988 [Aggregate, Override ("GroupComponent"), Description (
1989 "Proposal containing transforms.") ]
1990 CIM_IPsecProposal REF GroupComponent;
1991
1992 [Override ("PartComponent"), Min (1), Description (
1993 "Transforms in the proposal.") ]
1994 CIM_SATransform REF PartComponent;
1995
1996 karl 1.1 [Description (
1997 "SequenceNumber indicates the ordering to be used when "
1998 "choosing from among the transforms; lower values are "
1999 "preferred by the sender.")]
2000 uint16 SequenceNumber;
2001 };
2002
2003 // ==================================================================
2004 // ContainedSA
2005 // ==================================================================
2006 [Association, Aggregation, Description (
2007 "ContainedSA associates a protection suite with its member "
2008 "IPsec security associations. Security associations are "
2009 "contained in sending/receiving pairs and there may be any or "
2010 "all of an AH pair, ESP pair or an IPCOMP pair of SAs.") ]
2011
2012 class CIM_ContainedSA : CIM_MemberOfCollection
2013 {
2014 [Aggregate, Override ("Collection"), Min (1), Max (1),
2015 Description (
2016 "Protection suite.") ]
2017 karl 1.1 CIM_IPsecProtectionSuite REF Collection;
2018
2019 [Override ("Member"), Min (2), Max (6), Description (
2020 "Contained SAs.") ]
2021 CIM_IPsecSecurityAssociation REF Member;
2022 };
2023
2024 // ==================================================================
2025 // PeerIdentityMember
2026 // ==================================================================
2027 [Association, Aggregation, Description (
2028 "PeerIdentityMember aggregates PeerIdentityEntry "
2029 "instances into a PeerIdentityTable. This is a "
2030 "weak aggregation.") ]
2031
2032 class CIM_PeerIdentityMember : CIM_MemberOfCollection
2033 {
2034 [Aggregate, Override ("Collection"), Min (1), Max (1),
2035 Description (
2036 "Aggregating PeerIdentityTable.") ]
2037 CIM_PeerIdentityTable REF Collection;
2038 karl 1.1
2039 [Override ("Member"), Weak, Description (
2040 "Table entry") ]
2041 CIM_PeerIdentityEntry REF Member;
2042 };
2043
2044 // ==================================================================
2045 // PeerGatewayForTunnel
2046 // ==================================================================
2047 [Association, Description (
2048 "PeerGatewayForTunnel identifies the PeerGateway to be used "
2049 "in constructing a tunnel. " ) ]
2050
2051 class CIM_PeerGatewayForTunnel : CIM_Dependency
2052 {
2053 [Override ("Antecedent"), Description (
2054 "PeerGateway for the SA. " ) ]
2055 CIM_PeerGateway REF Antecedent;
2056
2057 [Override ("Dependent"), Description (
2058 "IPsecTunnelAction that requires a PeerGateway. " ) ]
2059 karl 1.1 CIM_IPsecTunnelAction REF Dependent;
2060
2061 [Description ("SequenceNumber indicates the ordering "
2062 "to be used when evaluating IPsecTunnelAction "
2063 "instances for a given rule. Lower values are "
2064 "evaluated first. " ) ]
2065 uint16 SequenceNumber;
2066 };
2067
2068 // ==================================================================
2069 // HostedPeerGatewayInformation
2070 // ==================================================================
2071 [Association, Description (
2072 "HostedPeerGatewayInformation provides the scoping "
2073 "association for PeerGateway information used by IKE "
2074 "services to identify PeerGateways used in a policy." ) ]
2075
2076 class CIM_HostedPeerGatewayInformation : CIM_Dependency
2077 {
2078 [Override ("Antecedent"), Min (1), Max (1),
2079 Description (
2080 karl 1.1 "Scoping System.") ]
2081 CIM_System REF Antecedent;
2082
2083 [Override ("Dependent"), Weak, Description (
2084 "PeerGateway.") ]
2085 CIM_PeerGateway REF Dependent;
2086 };
2087 //
2088
2089 // ==================================================================
2090 // IKEAutostartConfiguration
2091 // ==================================================================
2092 [Association, Description ("IKEAutostartConfiguration "
2093 "provides the relationship between an IKEService and a "
2094 "configuration set that it uses to automatically start a set "
2095 "of SAs.")]
2096 class CIM_IKEAutostartConfiguration: CIM_Dependency
2097 {
2098 [Override ("Antecedent"),
2099 Description ("The configuration used.") ]
2100 CIM_AutostartIKEConfiguration REF Antecedent;
2101 karl 1.1 [Override ("Dependent"),
2102 Description ("The IKEService that uses the configuration.") ]
2103 CIM_IKEService REF Dependent;
2104 [Description ("Active indicates whether the configuration set "
2105 "is currently active for the associated IKEService. That is, "
2106 "at boot time, the active configuration is used to autostart "
2107 "IKE negotitations.")]
2108 boolean Active;
2109 };
2110
2111 // ==================================================================
2112 // IKEAutostartSetting
2113 // ==================================================================
2114 [Association, Description ("IKEAutostartSetting associates an "
2115 "IKEService and an AutostartIKESetting that it uses to "
2116 "automatically start negotiating one or more SAs.") ]
2117 class CIM_IKEAutostartSetting : CIM_ElementSetting
2118 {
2119 [Override ("Element"),
2120 Description ("IKEService that uses the setting.") ]
2121 CIM_IKEService REF Element;
2122 karl 1.1
2123 [Override ("Setting"), Description ("Setting that tells the "
2124 "IKEService what to negotiate.") ]
2125 CIM_AutostartIKESetting REF Setting;
2126 };
2127
2128 // ==================================================================
2129 // AutostartIKESettingContext
2130 // ==================================================================
2131 [Association, Aggregation, Description (
2132 "AutostartIKESettingContext aggregates the settings used to "
2133 "autostart SA negotiations into a configuration set.") ]
2134 class CIM_AutostartIKESettingContext : CIM_SystemSettingContext
2135 {
2136 [Aggregate, Override ("Context"),
2137 Description ("A configuration set.") ]
2138 CIM_AutostartIKEConfiguration REF Context;
2139
2140 [Override ("Setting"), Description ("A setting that is part "
2141 "of the configuration set.") ]
2142 CIM_AutostartIKESetting REF Setting;
2143 karl 1.1 [Description ("SequenceNumber indicates the ordering to be "
2144 "used when starting negotiations. A zero value indicates "
2145 "that order is not significant and settings may be applied in "
2146 "parallel with other settings. All other settings in the "
2147 "configuration are executed in sequence from lower values to "
2148 "high. Sequence numbers need not be unique in an "
2149 "AutostartIKEConfiguration and order is not significant for "
2150 "settings with the same sequence number.")]
2151 uint16 SequenceNumber;
2152 };
2153
2154
2155
2156
2157 // ===================================================================
2158 // end of file
2159 // ===================================================================
|