Return to
CIM_Network25_Add.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIM25
|
Return to
CIM_Network25_Add.mof
CVS log
|
Up to [Pegasus] / pegasus / Schemas / CIM25
|
|
File: [Pegasus] / pegasus / Schemas / CIM25 / Attic / CIM_Network25_Add.mof
(download)
Revision: 1.2, Thu Dec 13 14:53:12 2001 UTC (22 years, 5 months ago) by mike Branch: MAIN CVS Tags: TASK-PEP362_RestfulService-merged_out_from_trunk, TASK-PEP348_SCMO-merged_out_from_trunk, TASK-PEP317_pullop-merged_out_from_trunk, TASK-PEP317_pullop-merged_in_to_trunk, TASK-PEP311_WSMan-root, TASK-PEP311_WSMan-branch, RELEASE_2_5_0-RC1, HPUX_TEST, HEAD Changes since 1.1: +0 -0 lines FILE REMOVED Merged dev branch into main trunk. |
// ===================================================================
// Title: Network MOF Specification 2.5
// Filename: CIM_IPsec25.mof
// Version: 2.5
// Release: 0
// Date: 01/11/2001
// Editors: Victor Lortz, Lee Rafalow, John Strassner
// Authors: DMTF Network Working Group
//
// NEW FOR THE 2.5 RELEASE:
//
// Description: These object classes define the IPsec policy model
// for CIM and includes classes needed to represent
// IKE proposals, IPsec conditions and actions, and
// security associations.
//
// The object classes below are listed in an order that
// avoids forward references. Required objects, defined
// by other working groups, are omitted.
//
// Currently, this MOF is in the file CIM_IPsec25.mof. This is because
// AdminDomain needs to move to Core, and IPsec depends on Core,
// Network, System, and Policy. So we have a forward referencing
// problem that is solved by making this a separate file. This will be
// fixed in CR???, which does move AdminDomain into core.
//
// ===================================================================
// Generic Pragmas
// ===================================================================
#pragma Locale ("en_US")
// ==================================================================
// SACondition
// ==================================================================
[Description (
"SACondition defines the conditions of rules for IKE or "
"IPsec negotiations. Conditions are associated with policy "
"rules via the SAConditionInRule aggregation. It is used as "
"an anchor point to associate various types of filters with "
"policy rules via the FilterOfSACondition association. It "
"also defines whether Credentials can be accepted for a "
"particular policy rule via the AcceptCredentialsFrom "
"association. ") ]
class CIM_SACondition : CIM_PolicyCondition
{
};
// ==================================================================
// CredentialFilterEntry
// ==================================================================
[Description (
"A CredentialFilterEntry is used to define an equivalence "
"class that match credentials of IKE peers. Each "
"CredentialFilterEntry includes a MatchFieldName that is "
"interpreted according to the CredentialManagementService(s) "
"associated with the SACondition via the AcceptCredentialsFrom "
"association. These credentials can be X.509 certificates, "
"Kerberos tickets, or other types of credentials obtained "
"during the Phase 1 exchange. " ) ]
class CIM_CredentialFilterEntry : CIM_FilterEntryBase
{
[Description (
"MatchFieldName specifies the sub-part of the credential to "
"match against MatchFieldValue."),
ModelCorrespondence {
"CIM_CredentialFilterEntry.MatchFieldValue" } ]
string MatchFieldName;
[Description (
"MatchFieldValue specifies the value to compare with the "
"MatchFieldName in a credential to determine if the credential "
"matches this filter entry."),
ModelCorrespondence {
"CIM_CredentialFilterEntry.MatchFieldName" } ]
string MatchFieldValue;
[Description (
"CredentialType is an enumerated 16-bit unsigned integer that "
"is used to specify the particular type of credential that is "
"being matched. " ),
ValueMap { "1", "2" },
Values { "X.509 Certificate", "Kerberos Ticket" } ]
uint16 CredentialType;
};
// ==================================================================
// IPSOFilterEntry
// ==================================================================
[Description (
"An IPSOFilterEntry is used to match traffic based on the "
"IP Security Options header values (ClassificationLevel "
"and ProtectionAuthority) as defined in RFC1108. This type "
"of FilterEntry is used to adjust the IPsec encryption level "
"according to the IPSO classification of the traffic (e.g., "
"secret, confidential, restricted, etc." ) ]
class CIM_IPSOFilterEntry : CIM_FilterEntryBase
{
[Description (
"MatchConditionType specifies whether to match based on "
"traffic classification level or protection authority."),
ValueMap { "1", "2"},
Values {"ClassificationLevel", "ProtectionAuthority" },
ModelCorrespondence {
"CIM_IPSOFilterEntry.MatchConditionValue" } ]
uint16 MatchConditionType;
[Description (
"This is the value of the IPSO field type. For "
"ClassificationLevel, the values are:\n"
"61=TopSecret, 90=Secret, 150=Confidential, "
"171=Unclassified.\n"
"\n"
"For ProtectionAuthority, the values are:\n"
"0=GENSER, 1=SIOP-ESI, 2=SCI, 3=NSA, 4=DOE."),
ModelCorrespondence {
"CIM_IPSOFilterEntry.MatchConditionType" } ]
uint16 MatchConditionValue;
};
// ==================================================================
// PeerIDPayloadFilterEntry
// ==================================================================
[Description (
"PeerIDPayloadFilterEntry defines filters used to match ID "
"payload values from the IKE protocol exchange." ) ]
class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase
{
[Description (
"MatchIdentityType specifies the type of indentity provided by "
"the peer in the ID payload." ),
ValueMap
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence {
"CIM_PeerIDPayloadFilterEntry.MatchIdentityValue" } ]
uint16 MatchIdentityType;
[Description (
"MatchIdentityValue is the filter value for comparison with "
"the ID payload, e,g, \"*@company.com\". The syntax may need "
"to be converted for comparison. For example, if the type "
"of identity is a distinguished name, \"DER_ASN1_DN,\" the "
"MatchIdentityValue is represented by a DN string value "
"and this value must be converted into a DER-encoded string "
"before it can be matched against the values extracted from "
"IKE ID payloads at runtime (or vice-versa). " ),
ModelCorrespondence {
"CIM_PeerIDPayloadFilterEntry.MatchIdentityType" } ]
string MatchIdentityValue;
};
// ==================================================================
// IPsecPolicyGroup
// ==================================================================
[Description (
"IPsecPolicyGroup aggregates the set of rules of an IPsec "
"policy. These rules are defined as being weak to a System "
"via the PolicyGroupInSystem association. IPsecPolicyGroup "
"is used to anchor four rule collections. The two "
"associations IPsecPolicyForSystem and IPsecPolicyForEndpoint "
"are used to define the System and IPProtocolEndpoints that "
"a particular IPsecPolicyGroup is associated with. Examples "
"of a System and an IPProtocolEndpoint are a router and a "
"router interface, respectively. \n\n"
"Two aggregations are also defined for this class. The "
"RuleForIKENegotiation contains the phase 1 IKE negotiations "
"that will be used, while the RuleForIPsecNegotiation "
"contains the rules for phase 2 IKE negotiations. \n\n"
"Finally, the IPsecPolicyGroupInPolicyGroup recursive "
"aggregation is used to define a nested group of IPsec "
"policy groups, with each IPsec policy group containing "
"one or more rules. This may be used to mirror the "
"administrative nature of how IPsec is applied to various "
"entities in the managed environment. " ) ]
class CIM_IPsecPolicyGroup: CIM_PolicyGroup
{
};
// ==================================================================
// SARule
// ==================================================================
[Description (
"SARule is a base class for defining IKE and IPsec Rules. "
"Although concrete, it is not intended to be instantiated. "
"It defines a common anchor point for defining associations "
"and aggregations to conditions, actions, and security "
"associations (SAs) for both types of rules. Each valid "
"IPsecPolicyGroup must contain SARule that each have a "
"unique priority number (inherited from PolicyRule). " ) ]
class CIM_SARule: CIM_PolicyRule
{
[Description (
"LimitNegotiation is used as part of processing either an "
"IKE or an IPsec rule. Before proceeding with either a "
"phase 1 or a phase 2 negotiation, this property "
"is checked to determine if the negotiation role of the rule "
"matches that defined for the negotiation being undertaken "
"(e.g., Initiator, Responder, or Both). If this check fails, "
"then the IKE negotiation is stopped. Note that this only "
"applies to new IKE negotiations and has no effect on either "
"renegotiation or refresh operations with peers for which "
"an established SA already exists. " ),
ValueMap { "1", "2", "3" },
Values { "Initiator-only", "Responder-Only", "Either"} ]
uint16 LimitNegotiation;
};
// ==================================================================
// IKERule
// ==================================================================
[Description (
"IKERule contains the Conditions and Actions for IKE phase 1 "
"negotiations. The conditions and actions are contained in "
"one or more IPsecPolicyGroup classes. ") ]
class CIM_IKERule : CIM_SARule
{
[Description (
"IdentityContexts is a string array that corresponds to an "
"ANDed list of values. If multiple strings exist, then they "
"are to be logically ORed with each other. This property is "
"used to establish a phase 1 IKE SA by using this property "
"in conjunction with the UseIKEIdentityType property in the "
"corresponding IKEAction. These two properties are then "
"used to find an appropriate IKEIdentity object for use on "
"the protected IPProtocolEndpoint." ),
ModelCorrespondence { "CIM_IKEIdentity.IdentityContexts" } ]
string IdentityContexts [];
};
// ==================================================================
// IPsecRule
// ==================================================================
[Description (
"IPsecRule contains the Conditions and Actions for phase 2 "
"negotiations. The conditions and actions are contained in "
"one or more IPsecPolicyGroup classes. " ) ]
class CIM_IPsecRule : CIM_SARule
{
};
// ==================================================================
// SAAction
// ==================================================================
[Description (
"SAAction is the base class for the various types of IKE or "
"IPsec actions and, although concrete, it is not intended to "
"be instantiated. It is used for aggregating different "
"types of actions to IKE and IPsec rules. " ) ]
class CIM_SAAction : CIM_PolicyAction
{
[Description (
"DoActionLogging causes a log message to be generated when the "
"action is performed. " ) ]
boolean DoActionLogging;
[Description (
"DoPacketLogging causes a log message to be generated when the "
"action is applied to a packet. " ) ]
boolean DoPacketLogging;
};
// ==================================================================
// SAStaticAction
// ==================================================================
[Description (
"SAStaticAction is the base class for both IKE as well as "
"IPsec actions that require no negotiation. Although this "
"class is concrete, it is not intended to be instantiated. " ) ]
class CIM_SAStaticAction : CIM_SAAction
{
[Description (
"LifetimeSeconds specifies how long the SA derived from this "
"action should be used. A value of 0 means infinite "
"lifetime. A non-zero value is typically used when the "
"negotiation fails. " ),
Units ("Seconds") ]
uint32 LifetimeSeconds;
};
// ==================================================================
// PreconfiguredSAAction
// ==================================================================
[Description (
"Subclasses of PreconfiguredSAAction is used to create SAs "
"using preconfigured, hard-wired algorithms and keys. No "
"negotiation is necessary. Note that the SPI for a "
"preconfigured SA action is contained in the association, "
"TransformOfPreconfiguredAction. " ) ]
class CIM_PreconfiguredSAAction : CIM_SAStaticAction
{
[Description (
"ProtocolType defines the type of protocol being used by "
"this static action. " ) ]
string ProtocolType;
[Description (
"LifetimeKilobytes defines a traffic limit in kilobytes "
"that can be consumed before the SA is deleted. " ) ]
uint32 LifetimeKilobytes;
};
// ==================================================================
// PreconfiguredTransportAction
// ==================================================================
[Description (
"PreconfiguredTransportAction is used to create Transport SAs "
"using preconfigured, hard-wired algorithms and keys. No "
"negotiation is necessary. Note that the SPI for a "
"preconfigured SA action is contained in the association, "
"TransformOfPreconfiguredAction. " ) ]
class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction
{
};
// ==================================================================
// PreconfiguredTunnelAction
// ==================================================================
[Description (
"PreconfiguredTunnelAction is used to create Tunnel SAs using "
"preconfigured, hard-wired algorithms and keys. No "
"negotiation is necessary. Note that the SPI for a "
"preconfigured SA action is contained in the association, "
"TransformOfPreconfiguredAction. The PeerGateway address "
"information is provided when the tunnel peer is a security "
"gateway." ) ]
class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction
{
[Description (
"An enumeration that describes the format of the "
"PeerGatewayAddress property. Addresses that can be formatted "
"in IPv4 format, must be formatted that way to ensure mixed "
"IPv4/IPv6 support. When the tunnel peer is not a security "
"gateway, this property value is set to NULL."),
ValueMap { "0", "1", "2" },
Values { "Unknown", "IPv4", "IPv6" },
ModelCorrespondence {
"CIM_PreconfiguredTunnelAction.PeerGatewayAddress" } ]
uint16 PeerGatewayAddressType;
[Description (
"The IP address of the tunnel peer security gateway "
"formatted according to the appropriate convention as "
"defined in the PeerGatewayAddressType property of this "
"class (e.g., 171.79.6.40). When the tunnel peer is not a "
"security gateway, this property value is set to NULL."),
ModelCorrespondence {
"CIM_PreconfiguredTunnelAction.PeerGatewayAddressType" } ]
string PeerGatewayAddress;
};
// ==================================================================
// IPsecBypassAction
// ==================================================================
[Description (
"IPsecBypassAction is used to cause access to be permitted "
"without invoking the use of IPsec. Packets are forwarded "
"in the clear. " ) ]
class CIM_IPsecBypassAction : CIM_SAStaticAction
{
};
// ==================================================================
// IPsecDiscardAction
// ==================================================================
[Description (
"IPsecDiscardAction is used to cause access to be denied. "
"That is, packets are simply discarded. " ) ]
class CIM_IPsecDiscardAction : CIM_SAStaticAction
{
};
// ==================================================================
// IKERejectAction
// ==================================================================
[Description ("IKERejectAction is used to inhibit IKE "
"negotiations with peers.") ]
class CIM_IKERejectAction : CIM_SAStaticAction
{
};
// ==================================================================
// SANegotiationAction
// ==================================================================
[Description (
"SANegotiationAction is the base class for negotiated SAs "
"and, although concrete, is not intended to be instantiated. "
"It specifies the common parameters that control the IKE "
"phase 1 and phase 2 key exchange negotiations. " ) ]
class CIM_SANegotiationAction : CIM_SAAction
{
[Description (
"MinLifetimeSeconds prevents certain denial of service "
"attacks based on very short SA lifetimes. "),
Units("Seconds")]
uint32 MinLifetimeSeconds;
[Description (
"RefreshThresholdSeconds is the lifetime percentage at which "
"IKE should automatically attempt to acquire a new SA before "
"an existing SA expires. A random period may be added to a "
"calculated threshold to reduce network thrashing. " ) ]
uint8 RefreshThresholdSeconds;
[Description (
"IdleDurationSeconds is the time an SA can remain idle "
"before it is automatically deleted. The default (zero) "
"value indicates that there is no idle duration timer "
"and that the SA is deleted based upon the SA lifetime."),
Units("Seconds") ]
uint32 IdleDurationSeconds;
[Description (
"MinLifetimeKilobytes prevents certain denial of service "
"attacks based on very short SA lifetimes.")]
uint32 MinLifetimeKilobytes;
[Description (
"RefreshThresholdKilobytes is the percentage of the SA"
"kilobyte limit remaining before the SA is refreshed. "
"A random value may be added to a calculated threshold "
"to reduce network thrashing. " ) ]
uint8 RefreshThresholdKilobytes;
};
// ==================================================================
// IKEAction
// ==================================================================
[Description (
"IKEAction specifies the parameters to use for an IKE "
"phase 1 negotiation. " ) ]
class CIM_IKEAction : CIM_SANegotiationAction
{
[Description (
"RefreshThresholdDerivedKeys is the percentage of the "
"derived key limit remaining before the IKE phase 1 "
"SA is renegotiated. The default value (zero) means there "
"is no limit. " ) ]
uint8 RefreshThresholdDerivedKeys;
[Description (
"The ExchangeMode designates the mode IKE should use for "
"its key negotiations. " ),
ValueMap {"1", "2", "4"},
Values {"Base", "Main", "Aggressive" } ]
uint16 ExchangeMode;
[Description (
"UseIkeIdentityType is used in conjunction with the available "
"IKEIdentity instances for the IPProtocolEndpoint. "
"UseIKEIdentityType designates the type of IKE Identity to "
"use in sending an IKE message."),
ValueMap
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence {
"CIM_IKEIdentity.IdentityType" } ]
uint16 UseIKEIdentityType;
[Description ("The VendorID property is used to identify "
"vendor-defined key exchange GroupIDs."),
ModelCorrespondence {"CIM_IKEAction.AggressiveModeGroupID"}]
string VendorID;
[Description (
"When IKEAction.ExchangeMode is set to \"Aggressive\", "
"this property specifies the key exchange groupID to use "
"in a proposal. If the GroupID number is from the vendor-"
"specific range (32768-65535), the VendorID qualifies the "
"group number. Well-known group identifiers from RFC2412 "
"are: 0='Not Applicable', 1='DH768', 2='DH1024', "
"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
ModelCorrespondence {"CIM_IKEAction.VendorID"}]
uint16 AggressiveModeGroupID;
};
// ==================================================================
// IPsecAction
// ==================================================================
[Description (
"IPsecAction specifies the parameters to use for an IKE "
"phase 2 negotiation. " ) ]
class CIM_IPsecAction : CIM_SANegotiationAction
{
[Description (
"UsePFS indicates whether perfect forward secrecy "
"is required when refreshing keys.")]
boolean UsePFS;
[Description ("The VendorID property is used to identify "
"vendor-defined key exchange GroupIDs."),
ModelCorrespondence {"CIM_IPsecAction.GroupId"}]
string VendorID;
[Description (
"GroupId specifies the PFS group ID to use. This value is "
"only used if PFS is True and UseIKEGroup is False. "
"If the GroupID number is from the vendor-specific range "
"(32768-65535), the VendorID qualifies the group number. "
"Well-known group identifiers from RFC2412 are:\n"
" 0='Not Applicable', 1='DH768', 2='DH1024', "
"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
ModelCorrespondence {"CIM_IPsecAction.VendorID"}]
uint16 GroupId;
[Description (
"UseIKEGroup indicates that the phase 2 GroupId should be "
"the same as that used in the phase 1 protecting this phase 2 "
"exchange. IF PFS is False, UseIKEGroup is ignored. " ) ]
boolean UseIKEGroup;
[Description (
"Granularity controls whether proposed selectors for an "
"SA should be:\n"
" - the subnet mask (Subnet)\n"
" - the IP address (Address)\n"
" - the IP address & the IP protocol (Protocol)\n"
" - the IP address, the IP protocol & the layer 4 port (Port) "
"as derived from the traffic that triggered the FilterList "
"of the Condition(s) that matched the rule."),
ValueMap {"1", "2", "3", "4"},
Values {"Subnet", "Address", "Protocol", "Port"}]
uint16 Granularity;
};
// ==================================================================
// IPsecTransportAction
// ==================================================================
[Description (
"IPsecTransportAction is used to specify transport "
"encapsulation mode. " ) ]
class CIM_IPsecTransportAction : CIM_IPsecAction
{
};
// ==================================================================
// IPsecTunnelAction
// ==================================================================
[Description (
"IPsecTunnelAction is used to specify tunnel "
"encapsulation mode. " ) ]
class CIM_IPsecTunnelAction : CIM_IPsecAction
{
[Description (
"DFHandling controls how the Don't Fragment bit "
"is managed by the tunnel. " ),
ValueMap {"1", "2", "3"},
Values {"Copy", "Set", "Clear"}]
uint16 DFHandling;
};
// ==================================================================
// SATransform
// ==================================================================
[Abstract, Description (
"SATransform is the base class for the various types of "
"transforms aggregated into phase 2 proposals. Note that "
"it is weak to its containing PolicyRepository which is "
"defined with the SATransformInPolicyRepository association." ) ]
class CIM_SATransform : CIM_Policy
{
[Propagated ("CIM_PolicyRepository.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping PolicyRepository's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_PolicyRepository.Name"), Key, MaxLen (256),
Description (
"The scoping PolicyRepository's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or "
"the subclass used in the creation of an instance. When "
"used with the other key properties of this class, this "
"property allows all instances of this class and its "
"subclasses to be uniquely identified. " ) ]
string CreationClassName;
[Override ("CommonName"), Key, MaxLen (256), Description (
"The Name property provides a user-friendly unique "
"name for this SATransform. " ) ]
string CommonName;
[Description (
"MaxLifetimeSeconds specifies the maximum time the "
"IKE message sender proposes for an SA to be considered "
"valid after it has been created."),
Units ("Seconds") ]
uint32 MaxLifetimeSeconds;
[Description (
"MaxLifetimeKilobytes specifies the maximum kilobyte "
"lifetime the IKE message sender proposes for an SA to "
"be considered valid after it has been created. Each "
"proposal may use a different lifetime based upon the "
"strength of the encryption algorithm. " ) ]
uint32 MaxLifetimeKilobytes;
[Description (
"The VendorID property is used to identify "
"vendor-defined transforms.") ]
string VendorID;
};
// ==================================================================
// AHTransform
// ==================================================================
[Description (
"AHTransform defines the parameters used for phase 2 "
"negotiation of an AH SA. " ) ]
class CIM_AHTransform : CIM_SATransform
{
[Description (
"AHTransformId is an enumeration that specifies the "
"hash algorithm to be used. " ),
ValueMap {"2", "3", "4"},
Values {"MD5", "SHA-1", "DES"} ]
uint16 AHTransformId;
};
// ==================================================================
// ESPTransform
// ==================================================================
[Description (
"ESPTransform defines the parameters used for phase 2 "
"negotiation of an ESP SA. " ) ]
class CIM_ESPTransform : CIM_SATransform
{
[Description (
"IntegrityTransformId is an enumeration that specifies "
"the ESP integrity algorithm for the proposal. " ),
ValueMap {"0", "1", "2", "3", "4"},
Values {"None", "MD5", "SHA-1", "DES", "KPDK"} ]
uint16 IntegrityTransformId;
[Description (
"CipherTransformId is an enumeration that specifies the "
"ESP encryption algorithm for the proposal. " ),
ValueMap
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
Values {"DES_IV64", "DES", "3DES", "RC5", "IDEA", "CAST",
"Blowfish", "3-IDEA", "DES_IV32", "RC4", "NULL" }]
uint16 CipherTransformId;
[Description (
"CipherKeyLength specifies, in bits, the key length for "
"the encryption algorithm. For algorithms with fixed "
"key lengths, this value is ignored.")]
uint16 CipherKeyLength;
[Description (
"CipherKeyRounds specifies the key rounds for the "
"encryption algorithm. Currently, key rounds are not "
"defined for any IPsec encryption algorithms. " ) ]
uint16 CipherKeyRounds;
};
// ==================================================================
// IPCOMPTransform
// ==================================================================
[Description (
"IPCOMPTransform specifies the compression algorithm "
"to use. " ) ]
class CIM_IPCOMPTransform : CIM_SATransform
{
[Description (
"The Algorithm is an enumeration that designates the "
"IPCOMP compression algorithm to use. OUI designates a "
"vendor-specific algorithm."),
ValueMap {"1", "2", "3", "4"},
Values {"OUI", "DEFLATE", "LZS", "V42BIS"}]
uint16 Algorithm;
[Description (
"DictionarySize is an optional field that specifies the "
"log2 maximum size of the dictionary. " ) ]
uint16 DictionarySize;
[Description (
"Private compression algorithm, used when TransformId "
"is OUI. " ) ]
uint32 PrivateAlgorithm;
};
// ==================================================================
// SAProposal
// ==================================================================
[Abstract, Description (
"SAProposal is a base class defining the common "
"properties of and anchoring common associations "
"for IKE phase 1 and phase 2 (IPsec) proposals.") ]
class CIM_SAProposal : CIM_Policy
{
[Propagated ("CIM_PolicyRepository.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping PolicyRepository's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_PolicyRepository.Name"), Key,
MaxLen (256), Description (
"The scoping PolicyRepository's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class "
"or the subclass used in the creation of an "
"instance. When used with the other key properties of "
"this class, this property allows all instances of this "
"class and its subclasses to be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"The Name property uniquely identifies the "
"CIM_SAProposal.") ]
string Name;
};
// ==================================================================
// IKEProposal
// ==================================================================
[Description ("IKEProposal contains the parameters necessary "
"to drive the phase 1 IKE negotiation.") ]
class CIM_IKEProposal : CIM_SAProposal
{
[Description ("LifetimeDerivedKeys specifies the number of "
"times a phase 1 key will be used to derive a phase 2 "
"(IPsec) key. A value of 0 indicates that there is no limit "
"to the number of phase 2 keys that can be derived from the "
"phase 1 key.") ]
uint32 LifetimeDerivedKeys ;
[Description ("CipherAlgorithm is an enumeration that "
"specifies the proposed encryption algorithm."),
ValueMap { "1", "2", "3", "4", "5", "6" },
Values { "DES", "IDEA", "Blowfish", "RC5", "3DES",
"CAST"}]
uint16 CipherAlgorithm;
[Description ("HashAlgorithm is an enumeration that specifies "
"the proposed hash function."),
ValueMap {"1", "2", "3"},
Values {"MD5", "SHA-1", "Tiger"}]
uint16 HashAlgorithm;
[Description ("PRFAlgorithm specifies the pseudo-random "
"function IKE should use. Currently, no such functions are "
"defined.")]
uint16 PRFAlgorithm;
[Description ("The VendorID property is used to identify "
"vendor-defined key exchange GroupIDs."),
ModelCorrespondence {"CIM_IKEProposal.GroupId"}]
string VendorID;
[Description ("When IKEAction.ExchangeMode is set to "
"\"Base\" or to \"Main,\" the GroupId specifies the key "
"exchange group ID to use in a proposal, otherwise, "
"GroupId is set to 0, \"Not Applicable,\" and ignored. "
"If the GroupID number is from the vendor-specific range "
"(32768-65535), the VendorID qualifies the group number. "
"Well-known group identifiers from RFC2412 are:\n"
" 0='Not Applicable', 1='DH768', 2='DH1024', "
"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
ModelCorrespondence {"CIM_IKEProposal.VendorID"}]
uint16 GroupId;
[Description ("AuthenticationMethod is an enumeration that "
"specifies the authentication method to use for the "
"proposal. If the value 0 (Any) is used, then the proposal "
"should be multiplied in the IKE proposal list by as many "
"authentication methods as correspond to credentials on the "
"system (e.g., if the system has a preshared key and a "
"certificate, then the proposal will be repeated twice -- "
"once for each method)."),
ValueMap { "0", "1", "2", "3", "4", "5", "6" },
Values {"Any", "Preshared", "DSS_Signatures",
"RSA_Signatures", "RSA_Encryption", "Revised_RSA_Encryption",
"Kerberos" } ]
uint16 AuthenticationMethod;
[Description ("MaxLifetimeSeconds specifies the maximum time "
"the IKE message sender proposes for an SA to be considered "
"valid after it has been created."), Units("Seconds") ]
uint32 MaxLifetimeSeconds;
[Description ("MaxLifetimeKilobytes specifies the maximum "
"kilobyte lifetime the IKE message sender proposes for an SA "
"to be considered valid after it has been created. Each "
"proposal may use a different lifetime based upon the "
"strength of the encryption algorithm.") ]
uint32 MaxLifetimeKilobytes;
};
// ==================================================================
// IPsecProposal
// ==================================================================
[Description ("IPsecProposal aggregates the transform list "
"that specify the phase 2 negotiation proposals for "
"transform parameters.") ]
class CIM_IPsecProposal : CIM_SAProposal
{
};
// ==================================================================
// IKEService
// ==================================================================
[Description (
"Derived from NetworkService, IKEService represents the "
"functions performed during IKE phase 1 and phase 2 "
"negotiations. An IKEService instance provides services "
"for IPProtocolEndpoints on a System.") ]
class CIM_IKEService: CIM_NetworkService
{
};
// ==================================================================
// PeerGateway
// ==================================================================
[Description ("PeerGateway identifies a security gateway with "
"which an IKE Service negotiates.") ]
class CIM_PeerGateway: CIM_LogicalElement
{
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified." ) ]
string CreationClassName;
[Override ("Name"), Key, MaxLen (256),
Description (
"The Name property uniquely identifies the PeerGateway "
"instance.") ]
string Name;
[Description ("The PeerIdentityType specifies the type of the "
"Peer's IKE Identity."),
ValueMap
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence {"CIM_PeerGateway.PeerIdentity"}]
uint16 PeerIdentityType;
[Description ("PeerIdentity contains a string encoding of the "
"Identity payload for the security gateway."),
ModelCorrespondence {"CIM_PeerGateway.PeerIdentityType"}]
string PeerIdentity;
};
// ==================================================================
// PeerIdentityTable
// ==================================================================
[Description ("PeerIdentityTable aggregates table entries "
"that provide mappings between identities and their "
"addresses.") ]
class CIM_PeerIdentityTable: CIM_Collection
{
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified." ) ]
string CreationClassName;
[Key, MaxLen (256), Description ("The Name property uniquely "
"identifies the PeerIdentityTable." ) ]
string Name;
};
// ==================================================================
// PeerIdentityEntry
// ==================================================================
[Description ("A PeerIdentityEntry in a PeerIdentityTable "
"provides the mappings between peer's addresses and "
"identities." ) ]
class CIM_PeerIdentityEntry: CIM_LogicalElement
{
[Propagated ("CIM_System.CreationClassName" ), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName. " ) ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name." ) ]
string SystemName;
[Propagated ("CIM_PeerIdentityTable.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping PeerIdentityTable CreationClassName.") ]
string TableCreationClassName;
[Propagated ("CIM_PeerIdentityTable.Name"), Key,
MaxLen (256), Description (
"The scoping PeerIdentityTable Name." ) ]
string TableName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, Description ("The PeerIdentityType specifies the type "
"of the Peer's IKE Identity."),
ValueMap
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentity"}]
uint16 PeerIdentityType;
[Key, Description ("PeerIdentity contains a string encoding "
"of the Identity payload for the security gateway."),
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentityType"}]
string PeerIdentity;
[Key, Description (
"An enumeration that describes the format of the PeerAddress "
"property. Addresses that can be formatted in IPv4 format, "
"must be formatted that way to ensure mixed IPv4/IPv6 "
"support."),
ValueMap { "0", "1", "2" },
Values { "Unknown", "IPv4", "IPv6" },
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddress"}]
uint16 PeerAddressType;
[Key, Description (
"The IP address that this ProtocolEndpoint represents, "
"formatted according to the appropriate convention as "
"defined in the AddressType property of this class "
"(e.g., 171.79.6.40)."),
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddressType"}]
string PeerAddress;
};
// ==================================================================
// IPsecProtectionSuite
// ==================================================================
[Description ("IPsecProtectionSuite represents the collection "
"of SAs negotiated as a set by IKE. A protection suite may "
"consist of up to 6 individual SAs (incoming and outgoing "
"SAs for AH, ESP, and IPCOMP)") ]
class CIM_IPsecProtectionSuite : CIM_Collection
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"The Name property uniquely identifies the Service and "
"provides an indication of the functionality that is "
"managed. This functionality is described in more detail in "
"the object's Description property. ") ]
string Name;
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Propagated ("CIM_IPProtocolEndpoint.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping IPProtocolEndpoint's CreationClassName. ") ]
string SAPCreationClassName;
[Propagated ("CIM_IPProtocolEndpoint.Name"), Key,
MaxLen (256), Description (
"The scoping IPProtocolEndpoint's Name.") ]
string SAPName;
};
// ==================================================================
// IKEIdentity
// ==================================================================
[Description ("IKEIdentity is used to represent the "
"identities that may be used for an IPProtocolEndpoint (or "
"collection of IPProtocolEndpoints) to identify itself in "
"IKE phase 1 negotiations. The policy "
"IKEAction.UseIKEIdentityType specifies which type of the "
"available identities to use in a negotiation exchange and "
"the IKERule.IdentityContexts specifies the match values to "
"be used, along with the local address, to be used in "
"selecting the appropriate identity for a negotiation. The "
"ElementID property value should be that of either the "
"IPProtocolEndpoint or Collection of endpoints as "
"appropriate.") ]
class CIM_IKEIdentity : CIM_UsersAccess
{
[Description ("The IdentityType specifies the type of IKE "
"Identity."),
ValueMap
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence {"CIM_IKEAction.UseIKEIdentity",
"CIM_IKEIdentity.IdentityValue"}]
uint16 IdentityType;
[Description ("IdentityValue contains a string encoding of "
"the Identity payload. For IKEIdentity instances that are "
"address types, the IdentityValue string value may be "
"omitted and the associated IPProtocolEndpoint or "
"appropriate member of the Collection of endpoints is used."),
ModelCorrespondence {"CIM_IKEIdentity.IdentityType"}]
string IdentityValue;
[Description (
"The IdentityContexts property is used to constrain the use "
"of IKEIdentity instances to match that specified in the "
"IKERule.IdentityContexts. The IdentityContexts are "
"formatted as policy roles and role combinations. Each "
"value represents one context or context combination. Since "
"this is a multi-valued property, more than one context or "
"combination of contexts can be associated with a single "
"IKEIdentity. Each value is a string of the form:\n"
" <ContextName>[&&<ContextName>]*\n"
"where the individual context names appear in alphabetical "
"order (according to the collating sequence for UCS-2). "
"If one or more values in the IKERule.IdentityContexts array "
"match one or more IKEIdentity.IdentityContexts then the "
"identity's context matches. (That is, each value of the "
"IdentityContext array is an ORed condition.) In "
"combination with the address of the IPProtocolEndpoint and "
"IKEAction.UseIKEIdentityType, there should be 1 and only 1 "
"IKEIdentity." ),
ModelCorrespondence {"CIM_IKERule.IdentityContexts" } ]
string IdentityContexts [];
};
// ==================================================================
// SecurityAssociation
// ==================================================================
[Description ("SecurityAssociation is a base class for the "
"various types of security associations.") ]
class CIM_SecurityAssociation : CIM_ProtocolEndpoint
{
[Description (
"TimeOfCreation records when the SA was created")]
datetime TimeOfCreation;
[Description ("LifetimeSeconds specifies the maximum time SA "
"will be considered valid after it has been created."),
Units("Seconds") ]
uint32 LifetimeSeconds;
[Description ("RefreshThresholdSeconds is the lifetime "
"percentage at which IKE should automatically attempt to "
"acquire a new SA before the existing SA expires. A random "
"period may be added to a calculated threshold to reduce "
"network thrashing.")]
uint8 RefreshThresholdSeconds;
[Description ("LastAccessed enables deletion if SA is idle "
"too long.")]
datetime LastAccessed;
[Description ("IdleDurationSeconds specifies how long the SA "
"can be idle before it is deleted. The default value, 0, "
"indicates that there is no idle time out period."),
Units("Seconds")]
uint32 IdleDurationSeconds;
[Description ("How many bytes have been protected by this SA")]
uint32 ByteCount;
[Description ("LifetimeKilobytes specifies the maximum number "
"of kilobytes of data traffic to be protected by the SA. It "
"is deleted SA if LifetimeKilobyte value is exceeded.")]
uint32 LifetimeKilobytes;
[Description ("RefreshThresholdKilobytes is the ByteCount "
"value, expressed as a percentage of the LifetimeKilobytes, "
"at which IKE should begin to renegotiate a new SA. A "
"random value may be added to the calculated threshold to "
"reduce network thrashing.")]
uint8 RefreshThresholdKilobytes;
[Description (
"DoPacketLogging causes a log to be kept of traffic "
"processed by the SA." )]
boolean DoPacketLogging;
};
// ==================================================================
// IKESecurityAssociation
// ==================================================================
[Description ("IKESecurityAssociation is the SA used by IKE "
"to protect key negotiation traffic.") ]
class CIM_IKESecurityAssociation : CIM_SecurityAssociation
{
[Description ("Identifier of the IKE phase 1 negotiation "
"initiator. Combined with the ResponderCookie, this value,"
"in string form, may be used to construct the value of the "
"key field 'Name'." ) ]
uint64 InitiatorCookie;
[Description ("Identifier of the IKE phase 1 negotiation "
"responder. Combined with the InitiatorCookie, this value,"
"in string form, may be used to construct the value of the "
"key field 'Name'." ) ]
uint64 ResponderCookie;
[Description ("How many phase 2 derived keys have been "
"negotiated with this SA." ) ]
uint32 DerivedKeyCount;
[Description ("Delete SA if more than LiftetimeDerivedKeys "
"phase 2 keys derived. A zero value indicates that there is"
"no limit to the number of phase 2 derived keys." ) ]
uint32 LifetimeDerivedKeys;
[Description ("Percentage of LifetimeDerivedKeys at which "
"SA should be refreshed." ) ]
uint8 RefreshThresholdDerivedKeys;
[Description ("CipherAlgorithm is an enumeration that "
"specifies the proposed encryption algorithm."),
ValueMap { "1", "2", "3", "4", "5", "6" },
Values
{"DES", "IDEA", "Blowfish", "RC5", "3DES", "CAST"}]
uint16 CipherAlgorithm;
[Description ("HashAlgorithm is an enumeration that specifies "
"the proposed hash function."),
ValueMap {"1", "2", "3"},
Values {"MD5", "SHA-1", "Tiger" } ]
uint16 HashAlgorithm;
[Description ("GroupId specifies the key exchange group ID. "
"If the GroupID number is from the vendor-specific range "
"(32768-65535), the VendorID qualifies the group number. "
"Well-known group identifiers from RFC2412 are:\n"
"1='DH768', 2='DH1024', 3='ECC2N155', 4='ECC2N185', and "
"5='DH1536'"),
ModelCorrespondence {"CIM_IKESecurityAssociation.VendorID"}]
uint16 GroupId;
[Description ("VendorID identifies the vendor ID for "
"vendor-defined algorithms."),
ModelCorrespondence {"CIM_IKESecurityAssociation.GroupId"}]
string VendorID;
};
// ==================================================================
// IPsecSecurityAssociation
// ==================================================================
[Description ("IPsecSecurityAssociation is used to represent "
"both negotiated and static SAs that correspond to AH, ESP, "
"or IPCOMP.") ]
class CIM_IPsecSecurityAssociation : CIM_SecurityAssociation
{
[Description ("SPI contains the Security Parameter Index of "
"the SA. This value in string form may also be used in "
"the key field 'Name' inherited from ServiceAccessPoint. ")]
uint32 SPI;
[Description ("EncapsulationMode indicates whether the "
"security association is for a transport or tunnel "
"encapsulation mode."),
ValueMap {"1", "2"},
Values {"Tunnel", "Transport"}]
uint16 EncapsulationMode;
};
// ==================================================================
// DiscardSecurityAssociation
// ==================================================================
[Description ("DiscardSecurityAssociation is the SA type that "
"causes packets to be dropped.") ]
class CIM_DiscardSecurityAssociation: CIM_SecurityAssociation
{
};
// ==================================================================
// BypassSecurityAssociation
// ==================================================================
[Description ("BypassSecurityAssociation is the SA type that "
"causes packets to be sent in the clear.") ]
class CIM_BypassSecurityAssociation: CIM_SecurityAssociation
{
};
// ==================================================================
// AutostartIKEConfiguration
// ==================================================================
[Description ("AutostartIKEConfiguration object allows the "
"grouping of sets of AutostartIKESetting instances.") ]
class CIM_AutostartIKEConfiguration : CIM_SystemConfiguration
{
};
// ==================================================================
// AutostartIKESetting
// ==================================================================
[Description ("AutostartIKESetting instances are used to "
"automatically initiate IKE negotiations with peers as "
"described in AutostartIKESetting properties. IKE "
"negotiations are initiated according to the policy that "
"matches the setting parameters.") ]
class CIM_AutostartIKESetting : CIM_SystemSetting
{
[Description (
"Phase1Only is used to limit the IKE negotiation to just "
"setting up a phase 1 security association. When set to "
"False, both phase 1 and 2 negotiations are initiated.") ]
boolean Phase1Only;
[Description (
"An enumeration that describes the format of the source and "
"destination address properties."),
ValueMap { "0", "1", "2" },
Values { "Unknown", "IPv4", "IPv6" },
ModelCorrespondence {"CIM_AutostartIKESetting.SourceAddress",
"CIM_AutostartIKESetting.DestinationAddress"}]
uint16 AddressType;
[Description (
"The dotted-decimal or colon-decimal formatted IP address "
"used as the source address in comparing with policy "
"filter entries and used in any phase 2 negotiations."),
ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]
string SourceAddress;
[Description (
"The port number used as the source port in comparing "
"with policy filter entries and used in any phase "
"2 negotiations.")]
uint16 SourcePort;
[Description (
"The dotted-decimal or colon-decimal formatted IP address "
"used as the destination address in comparing with policy "
"filter entries and used in any phase 2 negotiations."),
ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]
string DestinationAddress;
[Description (
"The port number used as the destination port in comparing "
"with policy filter entries and used in any phase 2 "
"negotiations.")]
uint16 DestinationPort;
[Description (
"The protocol number used in comparing with policy filter "
"entries and used in any phase 2 negotiations.")]
uint8 Protocol;
};
/////////////////////////////////////////////////////////////////////
//*******************************************************************
// Associations
//*******************************************************************
/////////////////////////////////////////////////////////////////////
// ==================================================================
// SAConditionInRule
// ==================================================================
[ Association, Aggregation, Description (
"SAConditionInRule aggregates an SARule with the set of "
"SACondition instances that trigger it.") ]
class CIM_SAConditionInRule : CIM_PolicyConditionInPolicyRule
{
[Aggregate, Override ("GroupComponent"), Description (
"An SARule subclass of PolicyRule." ) ]
CIM_SARule REF GroupComponent;
[Override ("PartComponent"), Min(1), Description (
"An SACondition subclass of PolicyCondition. " ) ]
CIM_SACondition REF PartComponent;
};
// ==================================================================
// FilterOfSACondition
// ==================================================================
[ Association, Description (
"FilterOfSACondition associates a network traffic "
"specification (FilterList) with a SARule's SACondition." ) ]
class CIM_FilterOfSACondition : CIM_Dependency
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"A FilterList describes the traffic that will specify the "
"traffic to be filtered that is part of the SACondition of "
"a policy rule. " ) ]
CIM_FilterList REF Antecedent;
[Override ("Dependent"), Description (
"This is the SACondition that uses this FilterList to form "
"a policy rule. " ) ]
CIM_SACondition REF Dependent;
};
// ==================================================================
// AcceptCredentialsFrom
// ==================================================================
[Association, Description (
"This is used to specify which credential management service "
"(e.g., a CertificateAuthority or a Kerberos service) is to "
"be trusted to certify peer credentials. This is used to "
"validate that the credential being matched in the "
"CredentialFilterEntry is a valid credential that has been "
"supplied by an approved CredentialManagementService. " ) ]
class CIM_AcceptCredentialsFrom : CIM_Dependency
{
[Override ("Antecedent"),
Description ("The CredentialManagementService that is issuing "
"the credential to be used in the SACondition. " ) ]
CIM_CredentialManagementService REF Antecedent;
[Override ("Dependent"),
Description ("The SACondition that contains the credential. " ) ]
CIM_SACondition REF Dependent;
};
// ==================================================================
// SAActionInRule
// ==================================================================
[Association, Aggregation, Description (
"SAActionInRule aggregates SAActions into SARules. " ) ]
class CIM_SAActionInRule : CIM_PolicyActionInPolicyRule
{
[Aggregate, Override ("GroupComponent"), Description (
"An SARule that contains one or more SAActions. " ) ]
CIM_SARule REF GroupComponent;
[Override ("PartComponent"), Min(1), Description (
"An SAAction subclass of PolicyAction which is aggregated "
"into this SARule. " ) ]
CIM_SAAction REF PartComponent;
[Override ("ActionOrder"), Description (
"ActionOrder is an unsigned integer 'n' that indicates "
"the relative position of this SAAction in the "
"sequence of actions associated with a PolicyRule. "
"When 'n' is a positive integer, it indicates a place "
"in the sequence of actions to be performed, with "
"smaller integers indicating earlier positions in the "
"sequence.\n\n"
"Note that this property is inherited from its parent "
"aggregation but overridden for two reasons. First, "
"the parent aggregation allows for two policy rules "
"to have the same action order. This is NOT allowed "
"in IPsec (e.g., there MUST be a deterministic order "
"that is followed). Second, this override enables "
"IPsec consumers to add specific semantics of the "
"action order in their implementations. " ) ]
uint16 ActionOrder;
};
// ==================================================================
// IPsecPolicyGroupInPolicyGroup
// ==================================================================
[Association, Aggregation, Description (
"IPsecPolicyGroupInPolicyGroup is a recursive aggregation "
"that enables a nested hierarchy of IPsecPolicyGroups to be "
"defined. This enables multiple policies to be merged into a "
"single policy that contains the rules of its constituent "
"policies. When merging policies, rule priorities are used to "
"provide a deterministic rule execution strategy. \n\n"
"The aggregating IPsecPolicyGroup is intended to contain only "
"other IPsecPolicyGroup instances, while the leaf "
"IPsecPolicyGroup instances are intended to only contain IKE "
"and/or IPsec SARules. " ) ]
class CIM_IPsecPolicyGroupInPolicyGroup : CIM_PolicyGroupInPolicyGroup
{
[Aggregate, Override("GroupComponent"), Description (
"A policy group that aggregates other policy groups.") ]
CIM_IPsecPolicyGroup REF GroupComponent;
[Override("PartComponent"), Description (
"A policy group aggregated by another policy group.") ]
CIM_IPsecPolicyGroup REF PartComponent;
[Description (
"GroupPriority indicates the ordering to be used "
"when integrating multiple policy groups. Policy groups with "
"lower numbers take precedence over those with higher numbers "
"(i.e., policy 1 has highest precedence).")]
uint16 GroupPriority;
};
// ==================================================================
// IPsecPolicyForSystem
// ==================================================================
[Association, Description (
"IPsecPolicyForSystem associates an IPsec policy with a "
"specific system (e.g., a host or a network device. " ) ]
class CIM_IPsecPolicyForSystem : CIM_Dependency
{
[Override ("Antecedent"), Min(1), Max(1),
Description ("The System that hosts this IPsecPolicyGroup. " ) ]
CIM_System REF Antecedent;
[Override ("Dependent"), Min(0), Max(1),
Description ("The IPsecPolicyGroup, which contains a set of "
"policies, that are to be applied to the System.") ]
CIM_IPsecPolicyGroup REF Dependent;
};
// ==================================================================
// IPsecPolicyForEndpoint
// ==================================================================
[Association, Description (
"IPsecPolicyForEndpoint associates an IPsecPolicyGroup "
"with a specific network interface.") ]
class CIM_IPsecPolicyForEndpoint : CIM_Dependency
{
[Override ("Antecedent"), Description (
"The IPProtocolEndpoint that identifies an interface "
"to which the IPsecPolicyGroup applies.") ]
CIM_IPProtocolEndpoint REF Antecedent;
[Override ("Dependent"), Min (0), Max (1), Description (
"IPsecPolicyGroup used for the interface.") ]
CIM_IPsecPolicyGroup REF Dependent;
};
// ==================================================================
// RuleForIPsecNegotiation
// ==================================================================
[Association, Aggregation, Description (
"RuleForIPsecNegotiation associates an IPsecRule with the "
"IPsecPolicyGroup that contains it. This is used to contain "
"the phase 2 rules to control IKE negotiation. \n\n"
"ContainingGroup is restricted to a cardinality of 1. This "
"means that the IPsecRule instances are not sharable across "
"multiple policy groups. " ) ]
class CIM_RuleForIPsecNegotiation : CIM_PolicyRuleInPolicyGroup
{
[Aggregate, Override ("GroupComponent"), Min(1), Max(1),
Description (
"An IPsecPolicyGroup that aggregates a set of policy rules. " ) ]
CIM_IPsecPolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A policy rule aggregated into a set of policy rules, "
"forming an atomic policy group. " ) ]
CIM_IPsecRule REF PartComponent;
};
// ==================================================================
// RuleForIKENegotiation
// ==================================================================
[ Association, Aggregation, Description (
"RuleForIKENegotiation associates an IKERule with the "
"IPsecPolicyGroup that contains it. This is used to control "
"phase 1 IKE negotiation. \n\n"
"ContainingGroup is restricted to a cardinality of 1. This "
"means that the IKERule instances are not sharable across "
"multiple policy groups. " ) ]
class CIM_RuleForIKENegotiation : CIM_PolicyRuleInPolicyGroup
{
[Aggregate, Override ("GroupComponent"), Min(1), Max(1),
Description (
"An IPsecPolicyGroup that aggregates a set of policy rules. " ) ]
CIM_IPsecPolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A policy rule aggregated into a set of policy rules, "
"forming an atomic policy group. " ) ]
CIM_IKERule REF PartComponent;
};
// ==================================================================
// ContainedProposal
// ==================================================================
[Association, Aggregation, Description (
"ContainedProposal holds the ordered list of SA proposals "
"for a SANegotiationAction. " ) ]
class CIM_ContainedProposal: CIM_PolicyComponent
{
[Aggregate, Override ("GroupComponent"), Description (
"SANegotiationAction for this list of proposals. " ) ]
CIM_SANegotiationAction REF GroupComponent;
[Override ("PartComponent"), Description (
"SAProposal in this action. " ) ]
CIM_SAProposal REF PartComponent;
[Description (
"SequenceNumber indicates the ordering to be used when "
"chosing from among the proposals; lower values are "
"preferred by the sender. " ) ]
uint16 SequenceNumber;
};
// ==================================================================
// FilterOfSecurityAssociation
// ==================================================================
[Association, Description (
"FilterOfSecurityAssociation associates a network traffic "
"specification (i.e., a FilterList) with a set of "
"SecurityAssociations to which the filter list applies. " ) ]
class CIM_FilterOfSecurityAssociation : CIM_Dependency
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"FilterList describing the traffic to be matched against. " ) ]
CIM_FilterList REF Antecedent;
[Override ("Dependent"), Description (
"SecurityAssociation using the FilterList for its selector. " ) ]
CIM_SecurityAssociation REF Dependent;
};
// ==================================================================
// IKEUsesCredentialManagementService
// ==================================================================
[Association, Description (
"IKEUsesCredentialManagementService defines the set of "
"CredentialManagementService(s) that are trusted sources "
"of credentials for IKE phase 1 negotiations. " ) ]
class CIM_IKEUsesCredentialManagementService : CIM_Dependency
{
[Override ("Antecedent"), Description (
"CredentialManagementService trusted for the IKE "
"negotiation.") ]
CIM_CredentialManagementService REF Antecedent;
[Override ("Dependent"),
Description (
"IKEService that is using the credentials issued by the "
"trusted CredentialManagementService. " ) ]
CIM_IKEService REF Dependent;
};
// ==================================================================
// TransformOfPreconfiguredAction
// ==================================================================
[ Association, Description (
"TransformOfPreconfiguredAction defines the transforms used "
"by a preconfigured IPsec action.") ]
class CIM_TransformOfPreconfiguredAction : CIM_Dependency
{
[Override ("Antecedent"), Min(1), Max(3),
Description (
"This defines the type of transform that the Preconfigured "
"SA Action will be applied to. The cardinality enables an "
"action to be applied to an AH, an ESP, or an IPCOMP "
"transform. " ) ]
CIM_SATransform REF Antecedent;
[Override ("Dependent"),
Description (
"This defines the Preconfigured IPsec action to be applied "
"to the AH, ESP, or IPCOMP transform. " ) ]
CIM_PreconfiguredSAAction REF Dependent;
};
// ==================================================================
// SAProposalInPolicyRepository
// ==================================================================
[Association, Description (
"SAProposalInPolicyRepository provides the scoping "
"relationship for SAProposals in a PolicyRepository. "
"The SAProposal is weak to the PolicyRepository." ) ]
class CIM_SAProposalInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min (1), Max (1), Description (
"This property identifies a PolicyRepository "
"scoping one or more proposals.") ]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Weak, Description (
"An SAProposal that is in the PolicyRepository.")]
CIM_SAProposal REF Dependent;
};
// ==================================================================
// SATransformInPolicyRepository
// ==================================================================
[Association, Description (
"SATransformInPolicyRepository provides the scoping "
"relationship for SATRansforms in a PolicyRepository. "
"The SATransform is weak to the PolicyRepository." ) ]
class CIM_SATransformInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min (1), Max (1), Description (
"This property identifies a PolicyRepository "
"scoping one or more transforms.") ]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Weak, Description (
"An SATransform that is in the PolicyRepository.")]
CIM_SATransform REF Dependent;
};
// ==================================================================
// HostedPeerIdentityTable
// ==================================================================
[Association, Description ("HostedPeerIdentityTable provides the "
"scoping relationship for PeerIdentityTable entries in a "
"System. The PeerIdentityTable is weak to the System." ) ]
class CIM_HostedPeerIdentityTable: CIM_Dependency
{
[Override ("Antecedent"), Min (1), Max (1), Description (
"This property identifies a System scoping one or more "
"PeerIdentityTable instances.") ]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PeerIdentityTable that is in the System.")]
CIM_PeerIdentityTable REF Dependent;
};
// ==================================================================
// RuleThatGeneratedSA
// ==================================================================
[Association, Description (
"RuleThatGeneratedSA associates a SecurityAssociation with "
"the rule used to generate (or negotiate) it.") ]
class CIM_RuleThatGeneratedSA : CIM_Dependency
{
[Override ("Antecedent"), Min (0), Max (1),
Description ("SARule that led to the SecurityAssociation.") ]
CIM_SARule REF Antecedent;
[Override ("Dependent"),
Description ("SecurityAssociation created using the rule.") ]
CIM_SecurityAssociation REF Dependent;
};
// ==================================================================
// TransformOfSecurityAssociation
// ==================================================================
[Association, Description (
"TransformOfSecurityAssociation maps an SA with the transform "
"it uses. For security reasons, no keying material of the SA "
"is exposed." ) ]
class CIM_TransformOfSecurityAssociation : CIM_Dependency
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("Transform of this SA.") ]
CIM_SATransform REF Antecedent;
[Override ("Dependent"),
Description ("Security association.") ]
CIM_IPsecSecurityAssociation REF Dependent;
};
// ==================================================================
// PeerGatewayOfSecurityAssociation
// ==================================================================
[Association, Description (
"PeerGatewayOfSecurityAssociation identifies the PeerGateway "
"of an SA that has a security gateway as the peer.") ]
class CIM_PeerGatewayOfSecurityAssociation : CIM_Dependency
{
[Override ("Antecedent"), Max (1),
Description ("PeerGateway for the SA.") ]
CIM_PeerGateway REF Antecedent;
[Override ("Dependent"),
Description ("Security association with the PeerGateway.") ]
CIM_IPsecSecurityAssociation REF Dependent;
};
// ==================================================================
// IKEServicePeerGateway
// ==================================================================
[Association, Description (
"IKEServicePeerGateway provides the relationship between an "
"IKEService and the list of PeerGateway instances that it "
"uses in negotiating with security gateways.") ]
class CIM_IKEServicePeerGateway : CIM_Dependency
{
[Override ("Antecedent"),
Description ("The PeerGateway") ]
CIM_PeerGateway REF Antecedent;
[Override ("Dependent"), Description (
"The IKEService that uses information about the "
"peer gateway.") ]
CIM_IKEService REF Dependent;
};
// ==================================================================
// IKEServiceForEndpoint
// ==================================================================
[Association, Description (
"IKEServiceForEndpoint provides the relationship "
"showing which IKE service, if any, provides IKE "
"negotiation services for which network interfaces.") ]
class CIM_IKEServiceForEndpoint : CIM_Dependency
{
[Override ("Antecedent"), Max (1),
Description ("The IKEService that performs IKE negotiation "
"for the IPProtocolEndpoint.") ]
CIM_IKEService REF Antecedent;
[Override ("Dependent"),
Description ("IPProtocolEndpoint for which services are "
"provided.") ]
CIM_IPProtocolEndpoint REF Dependent;
};
// ==================================================================
// IKEServicePeerIdentityTable
// ==================================================================
[Association, Description (
"IKEServicePeerIdentityTable provides the relationship "
"between an IKEService and a PeerIdentityTable that it "
"uses to map between addresses and identities where "
"required.") ]
class CIM_IKEServicePeerIdentityTable: CIM_Dependency
{
[Override ("Antecedent"),
Description ("The PeerIdentityTable.") ]
CIM_PeerIdentityTable REF Antecedent;
[Override ("Dependent"),
Description ("The IKEService that uses the table.") ]
CIM_IKEService REF Dependent;
};
// ==================================================================
// IKESAUsedForPhase2
// ==================================================================
[Association, Description (
"IKESAUsedForPhase2 associates a phase 1 "
"IKESecurityAssociation with an "
"IPsecSecurityAssociation that was negotiated using "
"that Phase 1 SA.") ]
class CIM_IKESAUsedForPhase2 : CIM_Dependency
{
[Override ("Antecedent"), Max (1), Description (
"Phase 1 SA that protected the negotiation of "
"the Phase 2 SA.") ]
CIM_IKESecurityAssociation REF Antecedent;
[Override ("Dependent"), Description (
"Phase 2 SA.") ]
CIM_IPsecSecurityAssociation REF Dependent;
};
// ==================================================================
// PeerCredential
// ==================================================================
[Association, Description (
"PeerCredential is an association that identifies the "
"credential of the peer corresponding to an IKE SA.") ]
class CIM_PeerCredential : CIM_Dependency
{
[Override ("Antecedent"), Max (1),
Description ("Credential of the peer.") ]
CIM_Credential REF Antecedent;
[Override ("Dependent"),
Description ("Phase 1 SA for this peer.") ]
CIM_IKESecurityAssociation REF Dependent;
};
// ==================================================================
// IPProtocolEndpointsProtectionSuite
// ==================================================================
[Association, Description (
"IPProtocolEndpointsProtectionSuite provides the "
"relationship between an IPsecProtectionSuite and the scoping "
"IPProtocolEndpoint for which the set of related SAs provide "
"traffic protection. The IPsecProtectionSuite is weak to its "
"IPProtocolEndpoint.") ]
class CIM_IPProtocolEndpointsProtectionSuite: CIM_Dependency
{
[Override ("Antecedent"), Min (1), Max (1),
Description (
"An IPProtocolEndpoint for which protection is provided.") ]
CIM_IPProtocolEndpoint REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A protection suite.") ]
CIM_IPsecProtectionSuite REF Dependent;
};
// ==================================================================
// SecurityAssociationBindsTo
// ==================================================================
[Association, Description (
"SecurityAssociationBindsTo associates an IPProtocolEndpoint "
"with an active SecurityAssociation on that endpoint.") ]
class CIM_SecurityAssociationBindsTo : CIM_BindsTo
{
[Override ("Antecedent"), Min (1), Max (1),
Description (
"IPProtocolEndpoint representing the network "
"interface on which an SA is active." ) ]
CIM_IPProtocolEndpoint REF Antecedent;
[Override ("Dependent"), Description (
"Security association on the endpoint." ) ]
CIM_SecurityAssociation REF Dependent;
};
// ==================================================================
// ProvidesSA
// ==================================================================
[Association, Description (
"ProvidesSA represents the relationship between an "
"IKEService that provides the negotiation functions "
"and manages the associated security association." ) ]
class CIM_ProvidesSA: CIM_ProvidesEndpoint
{
[Override ("Antecedent"), Max (1), Description (
"The IKEService that provides the SA.")]
CIM_IKEService REF Antecedent;
[Override ("Dependent"), Description (
"Security association provided by the service.") ]
CIM_SecurityAssociation REF Dependent;
};
// ==================================================================
// IKEIdentitysCredential
// ==================================================================
[Association, Description (
"IKEIdentitysCredential is an association that "
"relates a set of credentials to their "
"corresponding local IKE Identities." ) ]
class CIM_IKEIdentitysCredential : CIM_UsersCredential
{
[Override ("Antecedent"), Description (
"Credential of the Identity.") ]
CIM_Credential REF Antecedent;
[Override ("Dependent"), Description (
"Identity associated with the credential.") ]
CIM_IKEIdentity REF Dependent;
};
// ==================================================================
// EndpointHasLocalIKEIdentity
// ==================================================================
[Association, Description (
"EndpointHasLocalIKEIdentity associates an "
"IPProtocolEndpoint with a set of IKE "
"Identities for that may be used in negotiating "
"SAs on the endpoint. " ) ]
class CIM_EndpointHasLocalIKEIdentity : CIM_ElementAsUser
{
[Override ("Antecedent"), Max (1), Description (
"IPProtocolEndpoint that has an IKE identity.") ]
CIM_IPProtocolEndpoint REF Antecedent;
[Override ("Dependent"), Description (
"An IKE Identity for the endpoint.") ]
CIM_IKEIdentity REF Dependent;
};
// ==================================================================
// CollectionHasLocalIKEIdentity
// ==================================================================
[Association, Description (
"CollectionHasLocalIKEIdentity associates a Collection "
"of IPProtocolEndpoints with a set of IKE Identities "
"that may be used in negotiating SAs for "
"these endpoints.") ]
class CIM_CollectionHasLocalIKEIdentity : CIM_ElementAsUser
{
[Override ("Antecedent"), Max (1), Description (
"Collection that has an Identity.") ]
CIM_Collection REF Antecedent;
[Override ("Dependent"), Description (
"IKE Identity used for the Collection.") ]
CIM_IKEIdentity REF Dependent;
};
// ==================================================================
// ContainedTransform
// ==================================================================
[Association, Aggregation, Description (
"ContainedTransform associates a proposal with its set "
"of transforms. If multiple transforms of a given type are "
"in a given proposal, these transforms are interpreted as "
"alternatives -- logically ORed with each other. Sets of "
"transforms of different types are logically ANDed. For "
"example, a proposal aggregating two AH transforms and three "
"ESP transforms means one of the AH transforms must be chosen "
"AND one of the ESP transforms must be chosen.") ]
class CIM_IPsecContainedTransform : CIM_PolicyComponent
{
[Aggregate, Override ("GroupComponent"), Description (
"Proposal containing transforms.") ]
CIM_IPsecProposal REF GroupComponent;
[Override ("PartComponent"), Min (1), Description (
"Transforms in the proposal.") ]
CIM_SATransform REF PartComponent;
[Description (
"SequenceNumber indicates the ordering to be used when "
"choosing from among the transforms; lower values are "
"preferred by the sender.")]
uint16 SequenceNumber;
};
// ==================================================================
// ContainedSA
// ==================================================================
[Association, Aggregation, Description (
"ContainedSA associates a protection suite with its member "
"IPsec security associations. Security associations are "
"contained in sending/receiving pairs and there may be any or "
"all of an AH pair, ESP pair or an IPCOMP pair of SAs.") ]
class CIM_ContainedSA : CIM_MemberOfCollection
{
[Aggregate, Override ("Collection"), Min (1), Max (1),
Description (
"Protection suite.") ]
CIM_IPsecProtectionSuite REF Collection;
[Override ("Member"), Min (2), Max (6), Description (
"Contained SAs.") ]
CIM_IPsecSecurityAssociation REF Member;
};
// ==================================================================
// PeerIdentityMember
// ==================================================================
[Association, Aggregation, Description (
"PeerIdentityMember aggregates PeerIdentityEntry "
"instances into a PeerIdentityTable. This is a "
"weak aggregation.") ]
class CIM_PeerIdentityMember : CIM_MemberOfCollection
{
[Aggregate, Override ("Collection"), Min (1), Max (1),
Description (
"Aggregating PeerIdentityTable.") ]
CIM_PeerIdentityTable REF Collection;
[Override ("Member"), Weak, Description (
"Table entry") ]
CIM_PeerIdentityEntry REF Member;
};
// ==================================================================
// PeerGatewayForTunnel
// ==================================================================
[Association, Description (
"PeerGatewayForTunnel identifies the PeerGateway to be used "
"in constructing a tunnel. " ) ]
class CIM_PeerGatewayForTunnel : CIM_Dependency
{
[Override ("Antecedent"), Description (
"PeerGateway for the SA. " ) ]
CIM_PeerGateway REF Antecedent;
[Override ("Dependent"), Description (
"IPsecTunnelAction that requires a PeerGateway. " ) ]
CIM_IPsecTunnelAction REF Dependent;
[Description ("SequenceNumber indicates the ordering "
"to be used when evaluating IPsecTunnelAction "
"instances for a given rule. Lower values are "
"evaluated first. " ) ]
uint16 SequenceNumber;
};
// ==================================================================
// HostedPeerGatewayInformation
// ==================================================================
[Association, Description (
"HostedPeerGatewayInformation provides the scoping "
"association for PeerGateway information used by IKE "
"services to identify PeerGateways used in a policy." ) ]
class CIM_HostedPeerGatewayInformation : CIM_Dependency
{
[Override ("Antecedent"), Min (1), Max (1),
Description (
"Scoping System.") ]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"PeerGateway.") ]
CIM_PeerGateway REF Dependent;
};
//
// ==================================================================
// IKEAutostartConfiguration
// ==================================================================
[Association, Description ("IKEAutostartConfiguration "
"provides the relationship between an IKEService and a "
"configuration set that it uses to automatically start a set "
"of SAs.")]
class CIM_IKEAutostartConfiguration: CIM_Dependency
{
[Override ("Antecedent"),
Description ("The configuration used.") ]
CIM_AutostartIKEConfiguration REF Antecedent;
[Override ("Dependent"),
Description ("The IKEService that uses the configuration.") ]
CIM_IKEService REF Dependent;
[Description ("Active indicates whether the configuration set "
"is currently active for the associated IKEService. That is, "
"at boot time, the active configuration is used to autostart "
"IKE negotitations.")]
boolean Active;
};
// ==================================================================
// IKEAutostartSetting
// ==================================================================
[Association, Description ("IKEAutostartSetting associates an "
"IKEService and an AutostartIKESetting that it uses to "
"automatically start negotiating one or more SAs.") ]
class CIM_IKEAutostartSetting : CIM_ElementSetting
{
[Override ("Element"),
Description ("IKEService that uses the setting.") ]
CIM_IKEService REF Element;
[Override ("Setting"), Description ("Setting that tells the "
"IKEService what to negotiate.") ]
CIM_AutostartIKESetting REF Setting;
};
// ==================================================================
// AutostartIKESettingContext
// ==================================================================
[Association, Aggregation, Description (
"AutostartIKESettingContext aggregates the settings used to "
"autostart SA negotiations into a configuration set.") ]
class CIM_AutostartIKESettingContext : CIM_SystemSettingContext
{
[Aggregate, Override ("Context"),
Description ("A configuration set.") ]
CIM_AutostartIKEConfiguration REF Context;
[Override ("Setting"), Description ("A setting that is part "
"of the configuration set.") ]
CIM_AutostartIKESetting REF Setting;
[Description ("SequenceNumber indicates the ordering to be "
"used when starting negotiations. A zero value indicates "
"that order is not significant and settings may be applied in "
"parallel with other settings. All other settings in the "
"configuration are executed in sequence from lower values to "
"high. Sequence numbers need not be unique in an "
"AutostartIKEConfiguration and order is not significant for "
"settings with the same sequence number.")]
uint16 SequenceNumber;
};
// ===================================================================
// end of file
// ===================================================================
| No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |