pegasus/Schemas/CIM26Prelim/Attic/CIM_Network26_Add.mof - diff

Return to CIM_Network26_Add.mof CVS log

Up to [Pegasus] / pegasus / Schemas / CIM26Prelim / Attic

Diff for /pegasus/Schemas/CIM26Prelim/Attic/CIM_Network26_Add.mof between version 1.1 and 1.2

version 1.1, 2001/08/07 11:08:21

version 1.2, 2001/12/13 14:53:17

Line 0

Line 1

// ===================================================================

// Title: Network MOF Specification 2.6 for IPsec Policy

// Filename: CIM_Network26_Add.mof

// Version: 2.6

// Release: 0

// Date: 05/22/2001

// ===================================================================

// Copyright "2001" Distributed Management Task Force, Inc. (DMTF).

// DMTF is a not-for-profit association of industry members dedicated

// to promoting enterprise and systems management and interoperability.

// DMTF specifications and documents may be reproduced for uses

// consistent with this purpose by members and non-members,

// provided that correct attribution is given.

// As DMTF specifications may be revised from time to time,

// the particular version and release cited should always be noted.

// Authors: DMTF Network Working Group

// Editors: Victor Lortz, Lee Rafalow, John Strassner

// Last update: Lee Rafalow, 05/22/2001

// Description: These object classes define the IPsec policy model

// for CIM and includes classes needed to represent

// IKE negotiations and the resulting security

// associations.

// The object classes below are listed in an order that

// avoids forward references. Required objects, defined

// by other working groups, are omitted.

// Changes to initial V2.5 "Preliminary Standard" Release for V2.6:

// CIMCR599 - Updates to IPsec Model to match IETF IPSP Model

// -Update IKERule & IPsecRule descriptions for static

// actions

// -Update IPsecPolicyForSystem to correct the System

// cardinality and descriptions

// -Change SAProposal and SATransform to be weak to

// System instead of weak to PolicyRepository by changing

// SAProposalInPolicyRepository to SAProposalInSystem and

// SATRansformInPolicyRepository to SATRansformInSystem

// -Add DFHandling to PreconfiguredTunnelAction and

// IPsecSecurityAssociation

// -Add UseReplayPrevention & ReplayPreventionWindowSize

// to AHTransform & ESPTransform

// -Clarify SecurityAssociation description

// -Clarify SACondition description to include evaluation

// semantics

// -Clarify IPsecPolicyGroup description to include decision

// strategy semantics & use of PolicySetComponent instead of

// IPsecPolicyGroupInPolicyGroup

// -Clarify SAActionInRule to include action sequencing

// semantics

// -Clarify IKERejectAction description

// -Clarify PeerIdentityEntry.PeerIdentity description

// -Fixed PeerIdentityEntry.PeerAddress description

// -Fixed AutostartIKESetting description

// -Clarified IKEIdentity description

// -Clarified AutostartIKESettingContext description

// -Clarified IKEAutostartConfiguration.Active description

// -Changed CIM_IPsecContainedTransform to

// CIM_ContainedTransform

// -Fixed PeerGatewayForTunnel.SequenceNumber description

// -Added TransformOfPreconfiguredAction.SPI

// -Added SAActionInRule.FallbackOrder and change semantic

// of ActionOrder

// -Added PeerGatewayForPreconfiguredTunnel &

// deleted PreconfiguredTunnelAction PeerGateway properties

// -Remove IPsecPolicyGroupInPolicyGroup in favor of

// PolicySetComponent

// -SaRule description changed to reflect use of

// PolicySetComponent.Priority instead of PolicyRule.Priority

// -Add override description for SARule.ExecutionStrategy

// CIMCR593 - Correct Typos in Propagated Keys in IPsec model

// -Correct PeerIdentityEntry propagated keys

// -Correct IPsecProtectionSuite propagated keys

// ===================================================================

// Generic Pragmas

// ===================================================================

#pragma Locale ("en_US")

// ==================================================================

// SACondition

// ==================================================================

[Description (

"SACondition defines the conditions of rules for IKE or "

"IPsec negotiations. Conditions are associated with policy "

"rules via the SAConditionInRule aggregation. It is used as "

"an anchor point to associate various types of filters with "

"policy rules via the FilterOfSACondition association. It "

"also defines whether Credentials can be accepted for a "

"particular policy rule via the AcceptCredentialsFrom "

"association. \n"

"\n"

"Associated objects represent components of the condition "

"that may or may not apply at a given rule evaluation. For "

"example, an AcceptCredentialsFrom evaluation is only "

"performed when a credential is available to be evaluated "

"against the list of trusted credential management services. "

"Similarly, a PeerIDPayloadFilterEntry may only be evaluated "

"when an IDPayload value is available to compared with the "

"filter. Condition components that do not have corresponding "

"values with which to evaluate are evaluated as TRUE unless "

"the protocol has completed without providing the required "

"information.") ]

class CIM_SACondition : CIM_PolicyCondition

{

};

// ==================================================================

// CredentialFilterEntry

// ==================================================================

[Description (

"A CredentialFilterEntry is used to define an equivalence "

"class that match credentials of IKE peers. Each "

"CredentialFilterEntry includes a MatchFieldName that is "

"interpreted according to the CredentialManagementService(s) "

"associated with the SACondition (AcceptCredentialsFrom). "

"These credentials can be X.509 certificates, Kerberos "

"tickets, or other types of credentials obtained during the "

"Phase 1 exchange. " ) ]

class CIM_CredentialFilterEntry : CIM_FilterEntryBase

{

[Description (

"MatchFieldName specifies the sub-part of the credential to "

"match against MatchFieldValue."),

ModelCorrespondence {

"CIM_CredentialFilterEntry.MatchFieldValue" } ]

string MatchFieldName;

[Description (

"MatchFieldValue specifies the value to compare with the "

"MatchFieldName in a credential to determine if the "

"credential matches this filter entry."),

ModelCorrespondence {

"CIM_CredentialFilterEntry.MatchFieldName" } ]

string MatchFieldValue;

[Description (

"CredentialType is an enumerated 16-bit unsigned integer that "

"is used to specify the particular type of credential that is "

"being matched. " ),

ValueMap { "1", "2" },

Values { "X.509 Certificate", "Kerberos Ticket" } ]

uint16 CredentialType;

};

// ==================================================================

// IPSOFilterEntry

// ==================================================================

[Description (

"An IPSOFilterEntry is used to match traffic based on the "

"IP Security Options header values (ClassificationLevel "

"and ProtectionAuthority) as defined in RFC1108. This type "

"of FilterEntry is used to adjust the IPsec encryption level "

"according to the IPSO classification of the traffic (e.g., "

"secret, confidential, restricted, etc." ) ]

class CIM_IPSOFilterEntry : CIM_FilterEntryBase

{

[Description (

"MatchConditionType specifies whether to match based on "

"traffic classification level or protection authority."),

ValueMap { "1", "2"},

Values {"ClassificationLevel", "ProtectionAuthority" },

ModelCorrespondence {

"CIM_IPSOFilterEntry.MatchConditionValue" } ]

uint16 MatchConditionType;

[Description (

"This is the value of the IPSO field type. For "

"ClassificationLevel, the values are:\n"

"61=TopSecret, 90=Secret, 150=Confidential, "

"171=Unclassified.\n"

"\n"

"For ProtectionAuthority, the values are:\n"

"0=GENSER, 1=SIOP-ESI, 2=SCI, 3=NSA, 4=DOE."),

ModelCorrespondence {

"CIM_IPSOFilterEntry.MatchConditionType" } ]

uint16 MatchConditionValue;

};

// ==================================================================

// PeerIDPayloadFilterEntry

// ==================================================================

[Description (

"PeerIDPayloadFilterEntry defines filters used to match ID "

"payload values from the IKE protocol exchange." ) ]

class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase

{

[Description (

"MatchIdentityType specifies the type of indentity provided "

"by the peer in the ID payload." ),

ValueMap

{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},

Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",

"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",

"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},

ModelCorrespondence {

"CIM_PeerIDPayloadFilterEntry.MatchIdentityValue" } ]

uint16 MatchIdentityType;

[Description (

"MatchIdentityValue is the filter value for comparison with "

"the ID payload, e,g, \"*@company.com\". The syntax may need "

"to be converted for comparison. For example, if the type "

"of identity is a distinguished name, \"DER_ASN1_DN,\" the "

"MatchIdentityValue is represented by a DN string value "

"and this value must be converted into a DER-encoded string "

"before it can be matched against the values extracted from "

"IKE ID payloads at runtime (or vice-versa). " ),

ModelCorrespondence {

"CIM_PeerIDPayloadFilterEntry.MatchIdentityType" } ]

string MatchIdentityValue;

};

// ==================================================================

// IPsecPolicyGroup

// ==================================================================

[Description (

"IPsecPolicyGroup aggregates the set of rules of an IPsec "

"policy. These groups are weak to a System via the "

"PolicyGroupInSystem association. \n\n"

"The IPsecPolicyForSystem and IPsecPolicyForEndpoint "

"associations are used to specify the System and/or "

"IPProtocolEndpoints to which an IPsecPolicyGroup applies. "

"(Examples of a System and an IPProtocolEndpoint are a router "

"and a router interface, respectively.)\n\n"

"The RuleForIKENegotiation aggregates the phase 1 IKE "

"negotiation rules that are part of the group; the "

"RuleForIPsecNegotiation aggregates the phase 2 IKE "

"negotiation rules. \n\n"

"The PolicySetComponent aggregation is used to define a "

"nested group of IPsec policy groups, with each policy group "

"containing one or more rules.\n\n"

"Any nested groups of rules are prioritized with respect to "

"one another and the aggregated rules are evaluated using a "

"'first match' decision strategy, i.e., when evaluating the "

"list of IKE rules, they are evaluated in priority order "

"until a match is found and when evaluating the list of "

"IPsec rules, they are evaluated in priority order until a "

"match is found." ) ]

class CIM_IPsecPolicyGroup: CIM_PolicyGroup

{

};

// ==================================================================

// SARule

// ==================================================================

[Description (

"SARule is a base class for defining IKE and IPsec Rules. "

"Although concrete, it is not intended to be instantiated. "

"It defines a common anchor point for defining associations "

"and aggregations to conditions, actions, and security "

"associations (SAs) for both types of rules. Each valid "

"IPsecPolicyGroup must contain SARules that each have a "

"unique associated priority number in "

"PolicySetComponent.Priority. " ) ]

class CIM_SARule: CIM_PolicyRule

{

[Description (

"LimitNegotiation is used as part of processing either an "

"IKE or an IPsec rule. Before proceeding with either a "

"phase 1 or a phase 2 negotiation, this property "

"is checked to determine if the negotiation role of the rule "

"matches that defined for the negotiation being undertaken "

"(e.g., Initiator, Responder, or Both). If this check fails, "

"then the IKE negotiation is stopped. Note that this only "

"applies to new IKE negotiations and has no effect on either "

"renegotiation or refresh operations with peers for which "

"an established SA already exists. " ),

ValueMap { "1", "2", "3" },

Values { "Initiator-only", "Responder-Only", "Either"} ]

uint16 LimitNegotiation;

[Override("ExecutionStrategy"), Description (

"ExecutionStrategy defines the strategy to be used in "

"executing the sequenced actions aggregated by this "

"PolicyRule.\n"

"\n"

"In SARule, ExecutionStrategy MUST be set to 'Do All'. "

"SAActionInRule.FallbackAction is used to control the "

"fallback behavior."),

Values {"2"}, ValueMap {"Do All"}]

uint16 ExecutionStrategy;

};

// ==================================================================

// IKERule

// ==================================================================

[Description (

"IKERule contains the Conditions and Actions for IKE phase 1 "

"negotiations or to specify static actions such as Discard. "

"The conditions and actions are contained in one or more "

"IPsecPolicyGroup classes. ") ]

class CIM_IKERule : CIM_SARule

{

[Description (

"IdentityContexts is a string array that corresponds to an "

"ANDed list of values. If multiple strings exist, then they "

"are to be logically ORed with each other. This property is "

"used to establish a phase 1 IKE SA by using this property "

"in conjunction with the UseIKEIdentityType property in the "

"corresponding IKEAction. These two properties are then "

"used to find an appropriate IKEIdentity object for use on "

"the protected IPProtocolEndpoint." ),

ModelCorrespondence { "CIM_IKEIdentity.IdentityContexts" } ]

string IdentityContexts [];

};

// ==================================================================

// IPsecRule

// ==================================================================

[Description (

"IPsecRule contains the Conditions and Actions for phase 2 "

"negotiations or to specify static actions such as Discard. "

"The conditions and actions are contained in one or more "

"IPsecPolicyGroup classes. " ) ]

class CIM_IPsecRule : CIM_SARule

{

};

// ==================================================================

// SAAction

// ==================================================================

[Description (

"SAAction is the base class for the various types of IKE or "

"IPsec actions and, although concrete, it is not intended to "

"be instantiated. It is used for aggregating different "

"types of actions to IKE and IPsec rules. " ) ]

class CIM_SAAction : CIM_PolicyAction

{

[Description (

"DoActionLogging causes a log message to be generated when "

"the action is performed. " ) ]

boolean DoActionLogging;

[Description (

"DoPacketLogging causes a log message to be generated when "

"the action is applied to a packet. " ) ]

boolean DoPacketLogging;

};

// ==================================================================

// SAStaticAction

// ==================================================================

[Description (

"SAStaticAction is the base class for both IKE as well as "

"IPsec actions that require no negotiation. Although this "

"class is concrete, it is not intended to be instantiated. " ) ]

class CIM_SAStaticAction : CIM_SAAction

{

[Description (

"LifetimeSeconds specifies how long the SA derived from this "

"action should be used. A value of 0 means infinite "

"lifetime. A non-zero value is typically used when the "

"negotiation fails. " ),

Units ("Seconds") ]

uint32 LifetimeSeconds;

};

// ==================================================================

// PreconfiguredSAAction

// ==================================================================

[Description (

"Subclasses of PreconfiguredSAAction is used to create SAs "

"using preconfigured, hard-wired algorithms and keys. No "

"negotiation is necessary. Note that the SPI for a "

"preconfigured SA action is contained in the association, "

"TransformOfPreconfiguredAction. " ) ]

class CIM_PreconfiguredSAAction : CIM_SAStaticAction

{

[Description (

"ProtocolType defines the type of protocol being used by "

"this static action. " ) ]

string ProtocolType;

[Description (

"LifetimeKilobytes defines a traffic limit in kilobytes "

"that can be consumed before the SA is deleted. " ) ]

uint32 LifetimeKilobytes;

};

// ==================================================================

// PreconfiguredTransportAction

// ==================================================================

[Description (

"PreconfiguredTransportAction is used to create Transport "

"SAs using preconfigured, hard-wired algorithms and keys. No "

"negotiation is necessary. Note that the SPI for a "

"preconfigured SA action is contained in the association, "

"TransformOfPreconfiguredAction. " ) ]

class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction

{

};

// ==================================================================

// PreconfiguredTunnelAction

// ==================================================================

[Description (

"PreconfiguredTunnelAction is used to create Tunnel SAs "

"using preconfigured, hard-wired algorithms and keys. No "

"negotiation is necessary. Note that the SPI for a "

"preconfigured SA action is contained in the association, "

"TransformOfPreconfiguredAction. The PeerGateway address "

"information is provided when the tunnel peer is a security "

"gateway." ) ]

class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction

{

[Description (

"DFHandling controls how the Don't Fragment bit "

"is managed by the tunnel. " ),

ValueMap {"1", "2", "3"},

Values {"Copy", "Set", "Clear"}]

uint16 DFHandling;

};

// ==================================================================

// IPsecBypassAction

// ==================================================================

[Description (

"IPsecBypassAction is used to cause access to be permitted "

"without invoking the use of IPsec. Packets are forwarded "

"in the clear. " ) ]

class CIM_IPsecBypassAction : CIM_SAStaticAction

{

};

// ==================================================================

// IPsecDiscardAction

// ==================================================================

[Description (

"IPsecDiscardAction is used to cause access to be denied. "

"That is, packets are simply discarded. " ) ]

class CIM_IPsecDiscardAction : CIM_SAStaticAction

{

};

// ==================================================================

// IKERejectAction

// ==================================================================

[Description ("IKERejectAction is used to cause an IKE "

"negotiation to be terminated. For example, it can be used "

"in conjunction with an address filter on UDP port 500 to "

"reduce DoS vulnerability or it can be used on a low priority "

"rule to explicitly define the default action for IKE "

"negotiations.")]

class CIM_IKERejectAction : CIM_SAStaticAction

{

};

// ==================================================================

// SANegotiationAction

// ==================================================================

[Description (

"SANegotiationAction is the base class for negotiated SAs "

"and, although concrete, is not intended to be instantiated. "

"It specifies the common parameters that control the IKE "

"phase 1 and phase 2 key exchange negotiations. " ) ]

class CIM_SANegotiationAction : CIM_SAAction

{

[Description (

"MinLifetimeSeconds prevents certain denial of service "

"attacks based on very short SA lifetimes. "),

Units("Seconds")]

uint32 MinLifetimeSeconds;

[Description (

"RefreshThresholdSeconds is the lifetime percentage at which "

"IKE should automatically attempt to acquire a new SA before "

"an existing SA expires. A random period may be added to a "

"calculated threshold to reduce network thrashing. " ) ]

uint8 RefreshThresholdSeconds;

[Description (

"IdleDurationSeconds is the time an SA can remain idle "

"before it is automatically deleted. The default (zero) "

"value indicates that there is no idle duration timer "

"and that the SA is deleted based upon the SA lifetime."),

Units("Seconds") ]

uint32 IdleDurationSeconds;

[Description (

"MinLifetimeKilobytes prevents certain denial of service "

"attacks based on very short SA lifetimes.")]

uint32 MinLifetimeKilobytes;

[Description (

"RefreshThresholdKilobytes is the percentage of the SA"

"kilobyte limit remaining before the SA is refreshed. "

"A random value may be added to a calculated threshold "

"to reduce network thrashing. " ) ]

uint8 RefreshThresholdKilobytes;

};

// ==================================================================

// IKEAction

// ==================================================================

[Description (

"IKEAction specifies the parameters to use for an IKE "

"phase 1 negotiation. " ) ]

class CIM_IKEAction : CIM_SANegotiationAction

{

[Description (

"RefreshThresholdDerivedKeys is the percentage of the "

"derived key limit remaining before the IKE phase 1 "

"SA is renegotiated. The default value (zero) means there "

"is no limit. " ) ]

uint8 RefreshThresholdDerivedKeys;

[Description (

"The ExchangeMode designates the mode IKE should use for "

"its key negotiations. " ),

ValueMap {"1", "2", "4"},

Values {"Base", "Main", "Aggressive" } ]

uint16 ExchangeMode;

[Description (

"UseIkeIdentityType is used in conjunction with the available "

"IKEIdentity instances for the IPProtocolEndpoint. "

"UseIKEIdentityType designates the type of IKE Identity to "

"use in sending an IKE message."),

ValueMap

{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},

Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",

"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",

"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},

ModelCorrespondence {

"CIM_IKEIdentity.IdentityType" } ]

uint16 UseIKEIdentityType;

[Description ("The VendorID property is used to identify "

"vendor-defined key exchange GroupIDs."),

ModelCorrespondence {"CIM_IKEAction.AggressiveModeGroupID"}]

string VendorID;

[Description (

"When IKEAction.ExchangeMode is set to \"Aggressive\", "

"this property specifies the key exchange groupID to use "

"in a proposal. If the GroupID number is from the vendor-"

"specific range (32768-65535), the VendorID qualifies the "

"group number. Well-known group identifiers from RFC2412 "

"are: 0='Not Applicable', 1='DH768', 2='DH1024', "

"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),

ModelCorrespondence {"CIM_IKEAction.VendorID"}]

uint16 AggressiveModeGroupID;

};

// ==================================================================

// IPsecAction

// ==================================================================

[Description (

"IPsecAction specifies the parameters to use for an IKE "

"phase 2 negotiation. " ) ]

class CIM_IPsecAction : CIM_SANegotiationAction

{

[Description (

"UsePFS indicates whether perfect forward secrecy "

"is required when refreshing keys.")]

boolean UsePFS;

[Description ("The VendorID property is used to identify "

"vendor-defined key exchange GroupIDs."),

ModelCorrespondence {"CIM_IPsecAction.GroupId"}]

string VendorID;

[Description (

"GroupId specifies the PFS group ID to use. This value is "

"only used if PFS is True and UseIKEGroup is False. "

"If the GroupID number is from the vendor-specific range "

"(32768-65535), the VendorID qualifies the group number. "

"Well-known group identifiers from RFC2412 are:\n"

" 0='Not Applicable', 1='DH768', 2='DH1024', "

"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),

ModelCorrespondence {"CIM_IPsecAction.VendorID"}]

uint16 GroupId;

[Description (

"UseIKEGroup indicates that the phase 2 GroupId should be "

"the same as that used in the phase 1 protecting this phase "

"2 exchange. IF PFS is False, UseIKEGroup is ignored. " ) ]

boolean UseIKEGroup;

[Description (

"Granularity controls whether proposed selectors for an "

"SA should be:\n"

"- the subnet mask (Subnet)\n"

"- the IP address (Address)\n"

"- the IP address & the IP protocol (Protocol)\n"

"- the IP address, the IP protocol & the layer 4 port (Port) "

"\n"

"as derived from the traffic that triggered the FilterList "

"of the Condition(s) that matched the rule."),

ValueMap {"1", "2", "3", "4"},

Values {"Subnet", "Address", "Protocol", "Port"}]

uint16 Granularity;

};

// ==================================================================

// IPsecTransportAction

// ==================================================================

[Description (

"IPsecTransportAction is used to specify transport "

"encapsulation mode. " ) ]

class CIM_IPsecTransportAction : CIM_IPsecAction

{

};

// ==================================================================

// IPsecTunnelAction

// ==================================================================

[Description (

"IPsecTunnelAction is used to specify tunnel "

"encapsulation mode. " ) ]

class CIM_IPsecTunnelAction : CIM_IPsecAction

{

[Description (

"DFHandling controls how the Don't Fragment bit "

"is managed by the tunnel. " ),

ValueMap {"1", "2", "3"},

Values {"Copy", "Set", "Clear"}]

uint16 DFHandling;

};

// ==================================================================

// SATransform

// ==================================================================

[Abstract, Description (

"SATransform is the base class for the various types of "

"transforms aggregated into phase 2 proposals. Note that "

"it is weak to its containing System." ) ]

class CIM_SATransform : CIM_Policy

{

[Propagated ("CIM_System.CreationClassName"), Key,

MaxLen (256), Description (

"The scoping System's CreationClassName.") ]

string SystemCreationClassName;

[Propagated ("CIM_System.Name"), Key, MaxLen (256),

Description (

"The scoping System's Name.") ]

string SystemName;

[Key, MaxLen (256), Description (

"CreationClassName indicates the name of the class or "

"the subclass used in the creation of an instance. When "

"used with the other key properties of this class, this "

"property allows all instances of this class and its "

"subclasses to be uniquely identified. " ) ]

string CreationClassName;

[Override ("CommonName"), Key, MaxLen (256), Description (

"The Name property provides a user-friendly unique "

"name for this SATransform. " ) ]

string CommonName;

[Description (

"MaxLifetimeSeconds specifies the maximum time the "

"IKE message sender proposes for an SA to be considered "

"valid after it has been created."),

Units ("Seconds") ]

uint32 MaxLifetimeSeconds;

[Description (

"MaxLifetimeKilobytes specifies the maximum kilobyte "

"lifetime the IKE message sender proposes for an SA to "

"be considered valid after it has been created. Each "

"proposal may use a different lifetime based upon the "

"strength of the encryption algorithm. " ) ]

uint32 MaxLifetimeKilobytes;

[Description (

"The VendorID property is used to identify "

"vendor-defined transforms.") ]

string VendorID;

};

// ==================================================================

// AHTransform

// ==================================================================

[Description (

"AHTransform defines the parameters used for phase 2 "

"negotiation of an AH SA. " ) ]

class CIM_AHTransform : CIM_SATransform

{

[Description (

"AHTransformId is an enumeration that specifies the "

"hash algorithm to be used. " ),

ValueMap {"2", "3", "4"},

Values {"MD5", "SHA-1", "DES"} ]

uint16 AHTransformId;

[Description (

"UseReplayPrevention causes the local peer to compute the "

"next sequence number when sending a packet or to check the "

"sequence number when receiving a packet. " ) ]

boolean UseReplayPrevention;

[Description (

"ReplayPreventionWindowsSizw specifies, in bits, the length "

"of the sliding window used by the replay prevention "

"mechanism. The value of this property is meaningless if "

"UseReplayPrevention is false. It is assumed that the window "

"size will be power of 2.")]

uint32 ReplayPreventionWindowSize;

};

// ==================================================================

// ESPTransform

// ==================================================================

[Description (

"ESPTransform defines the parameters used for phase 2 "

"negotiation of an ESP SA. " ) ]

class CIM_ESPTransform : CIM_SATransform

{

[Description (

"IntegrityTransformId is an enumeration that specifies "

"the ESP integrity algorithm for the proposal. " ),

ValueMap {"0", "1", "2", "3", "4"},

Values {"None", "MD5", "SHA-1", "DES", "KPDK"} ]

uint16 IntegrityTransformId;

[Description (

"CipherTransformId is an enumeration that specifies the "

"ESP encryption algorithm for the proposal. " ),

ValueMap

{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},

Values {"DES_IV64", "DES", "3DES", "RC5", "IDEA", "CAST",

"Blowfish", "3-IDEA", "DES_IV32", "RC4", "NULL" }]

uint16 CipherTransformId;

[Description (

"CipherKeyLength specifies, in bits, the key length for "

"the encryption algorithm. For algorithms with fixed "

"key lengths, this value is ignored.")]

uint16 CipherKeyLength;

[Description (

"CipherKeyRounds specifies the key rounds for the "

"encryption algorithm. Currently, key rounds are not "

"defined for any IPsec encryption algorithms. " ) ]

uint16 CipherKeyRounds;

[Description (

"UseReplayPrevention causes the local peer to compute the "

"next sequence number when sending a packet or to check the "

"sequence number when receiving a packet. " ) ]

boolean UseReplayPrevention;

[Description (

"ReplayPreventionWindowsSizw specifies, in bits, the length "

"of the sliding window used by the replay prevention "

"mechanism. The value of this property is meaningless if "

"UseReplayPrevention is false. It is assumed that the window "

"size will be power of 2.")]

uint32 ReplayPreventionWindowSize;

};

// ==================================================================

// IPCOMPTransform

// ==================================================================

[Description (

"IPCOMPTransform specifies the compression algorithm "

"to use. " ) ]

class CIM_IPCOMPTransform : CIM_SATransform

{

[Description (

"The Algorithm is an enumeration that designates the "

"IPCOMP compression algorithm to use. OUI designates a "

"vendor-specific algorithm."),

ValueMap {"1", "2", "3", "4"},

Values {"OUI", "DEFLATE", "LZS", "V42BIS"}]

uint16 Algorithm;

[Description (

"DictionarySize is an optional field that specifies the "

"log2 maximum size of the dictionary. " ) ]

uint16 DictionarySize;

[Description (

"Private compression algorithm, used when TransformId "

"is OUI. " ) ]

uint32 PrivateAlgorithm;

};

// ==================================================================

// SAProposal

// ==================================================================

[Abstract, Description (

"SAProposal is a base class defining the common "

"properties of and anchoring common associations "

"for IKE phase 1 and phase 2 (IPsec) proposals.") ]

class CIM_SAProposal : CIM_Policy

{

[Propagated ("CIM_System.CreationClassName"), Key,

MaxLen (256), Description (

"The scoping System's CreationClassName.") ]

string SystemCreationClassName;

[Propagated ("CIM_System.Name"), Key,

MaxLen (256), Description (

"The scoping System's Name.") ]

string SystemName;

[Key, MaxLen (256), Description (

"CreationClassName indicates the name of the class "

"or the subclass used in the creation of an "

"instance. When used with the other key properties of "

"this class, this property allows all instances of this "

"class and its subclasses to be uniquely identified.") ]

string CreationClassName;

[Key, MaxLen (256), Description (

"The Name property uniquely identifies the "

"CIM_SAProposal.") ]

string Name;

};

// ==================================================================

// IKEProposal

// ==================================================================

[Description ("IKEProposal contains the parameters necessary "

"to drive the phase 1 IKE negotiation.") ]

class CIM_IKEProposal : CIM_SAProposal

{

[Description ("LifetimeDerivedKeys specifies the number of "

"times a phase 1 key will be used to derive a phase 2 "

"(IPsec) key. A value of 0 indicates that there is no limit "

"to the number of phase 2 keys that can be derived from the "

"phase 1 key.") ]

uint32 LifetimeDerivedKeys ;

[Description ("CipherAlgorithm is an enumeration that "

"specifies the proposed encryption algorithm."),

ValueMap { "1", "2", "3", "4", "5", "6" },

Values { "DES", "IDEA", "Blowfish", "RC5", "3DES",

"CAST"}]

uint16 CipherAlgorithm;

[Description ("HashAlgorithm is an enumeration that specifies "

"the proposed hash function."),

ValueMap {"1", "2", "3"},

Values {"MD5", "SHA-1", "Tiger"}]

uint16 HashAlgorithm;

[Description ("PRFAlgorithm specifies the pseudo-random "

"function IKE should use. Currently, no such functions are "

"defined.")]

uint16 PRFAlgorithm;

[Description ("The VendorID property is used to identify "

"vendor-defined key exchange GroupIDs."),

ModelCorrespondence {"CIM_IKEProposal.GroupId"}]

string VendorID;

[Description ("When IKEAction.ExchangeMode is set to "

"\"Base\" or to \"Main,\" the GroupId specifies the key "

"exchange group ID to use in a proposal, otherwise, "

"GroupId is set to 0, \"Not Applicable,\" and ignored. "

"If the GroupID number is from the vendor-specific range "

"(32768-65535), the VendorID qualifies the group number. "

"Well-known group identifiers from RFC2412 are:\n"

" 0='Not Applicable', 1='DH768', 2='DH1024', "

"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),

ModelCorrespondence {"CIM_IKEProposal.VendorID"}]

uint16 GroupId;

[Description ("AuthenticationMethod is an enumeration that "

"specifies the authentication method to use for the "

"proposal. If the value 0 (Any) is used, then the proposal "

"should be multiplied in the IKE proposal list by as many "

"authentication methods as correspond to credentials on the "

"system (e.g., if the system has a preshared key and a "

"certificate, then the proposal will be repeated twice -- "

"once for each method)."),

ValueMap { "0", "1", "2", "3", "4", "5", "6" },

Values {"Any", "Preshared", "DSS_Signatures",

"RSA_Signatures", "RSA_Encryption", "Revised_RSA_Encryption",

"Kerberos" } ]

uint16 AuthenticationMethod;

[Description ("MaxLifetimeSeconds specifies the maximum time "

"the IKE message sender proposes for an SA to be considered "

"valid after it has been created."), Units("Seconds") ]

uint32 MaxLifetimeSeconds;

[Description ("MaxLifetimeKilobytes specifies the maximum "

"kilobyte lifetime the IKE message sender proposes for an SA "

"to be considered valid after it has been created. Each "

"proposal may use a different lifetime based upon the "

"strength of the encryption algorithm.") ]

uint32 MaxLifetimeKilobytes;

};

// ==================================================================

// IPsecProposal

// ==================================================================

[Description ("IPsecProposal aggregates the transform list "

"that specify the phase 2 negotiation proposals for "

"transform parameters.") ]

class CIM_IPsecProposal : CIM_SAProposal

{

};

// ==================================================================

// IKEService

// ==================================================================

[Description (

"Derived from NetworkService, IKEService represents the "

"functions performed during IKE phase 1 and phase 2 "

"negotiations. An IKEService instance provides services "

"for IPProtocolEndpoints on a System.") ]

class CIM_IKEService: CIM_NetworkService

{

};

// ==================================================================

// PeerGateway

// ==================================================================

[Description ("PeerGateway identifies a security gateway with "

"which an IKE Service negotiates.") ]

class CIM_PeerGateway: CIM_LogicalElement

{

[Propagated ("CIM_System.CreationClassName"), Key,

MaxLen (256), Description (

"The scoping System's CreationClassName. ") ]

string SystemCreationClassName;

[Propagated ("CIM_System.Name"), Key, MaxLen (256),

Description ("The scoping System's Name.") ]

string SystemName;

[Key, MaxLen (256), Description (

"CreationClassName indicates the name of the class or the "

"subclass used in the creation of an instance. When used "

"with the other key properties of this class, this property "

"allows all instances of this class and its subclasses to "

"be uniquely identified." ) ]

string CreationClassName;

[Override ("Name"), Key, MaxLen (256),

Description (

"The Name property uniquely identifies the PeerGateway "

"instance.") ]

string Name;

[Description ("The PeerIdentityType specifies the type of the "

"Peer's IKE Identity."),

ValueMap

{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},

Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",

"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",

"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},

ModelCorrespondence {"CIM_PeerGateway.PeerIdentity"}]

uint16 PeerIdentityType;

[Description ("PeerIdentity contains a string encoding of the "

"Identity payload for the security gateway."),

ModelCorrespondence {"CIM_PeerGateway.PeerIdentityType"}]

string PeerIdentity;

};

// ==================================================================

// PeerIdentityTable

// ==================================================================

[Description ("PeerIdentityTable aggregates table entries "

"that provide mappings between identities and their "

"addresses.") ]

class CIM_PeerIdentityTable: CIM_Collection

{

[Propagated ("CIM_System.CreationClassName"), Key,

MaxLen (256), Description (

"The scoping System's CreationClassName. ") ]

string SystemCreationClassName;

[Propagated ("CIM_System.Name"), Key, MaxLen (256),

Description ("The scoping System's Name.") ]

string SystemName;

[Key, MaxLen (256), Description (

"CreationClassName indicates the name of the class or the "

"subclass used in the creation of an instance. When used "

"with the other key properties of this class, this property "

"allows all instances of this class and its subclasses to "

"be uniquely identified." ) ]

string CreationClassName;

[Key, MaxLen (256), Description ("The Name property uniquely "

"identifies the PeerIdentityTable." ) ]

string Name;

};

// ==================================================================

// PeerIdentityEntry

// ==================================================================

[Description ("A PeerIdentityEntry in a PeerIdentityTable "

"provides the mappings between peer's addresses and "

"identities." ) ]

class CIM_PeerIdentityEntry: CIM_LogicalElement

{

[Propagated ("CIM_PeerIdentityTable.SystemCreationClassName" ),

Key, MaxLen (256), Description (

"The scoping System's CreationClassName. " ) ]

string SystemCreationClassName;

[Propagated ("CIM_PeerIdentityTable.SystemName"), Key,

MaxLen (256), Description ("The scoping System's Name." ) ]

string SystemName;

[Propagated ("CIM_PeerIdentityTable.CreationClassName"), Key,

MaxLen (256), Description (

"The scoping PeerIdentityTable CreationClassName.") ]

string TableCreationClassName;

[Propagated ("CIM_PeerIdentityTable.Name"), Key,

MaxLen (256), Description (

"The scoping PeerIdentityTable Name." ) ]

string TableName;

[Key, MaxLen (256), Description (

"CreationClassName indicates the name of the class or the "

"subclass used in the creation of an instance. When used "

"with the other key properties of this class, this property "

"allows all instances of this class and its subclasses to "

"be uniquely identified.") ]

string CreationClassName;

[Key, Description ("The PeerIdentityType specifies the type "

"of the Peer's IKE Identity."),

ValueMap

{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},

Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",

"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",

"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},

ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentity"}]

uint16 PeerIdentityType;

[Key, Description ("PeerIdentity contains a string encoding "

"of the Identity payload for the peer."),

ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentityType"}]

string PeerIdentity;

[Key, Description (

"An enumeration that describes the format of the PeerAddress "

"property. Addresses that can be formatted in IPv4 format, "

"must be formatted that way to ensure mixed IPv4/IPv6 "

"support."),

ValueMap { "0", "1", "2" },

Values { "Unknown", "IPv4", "IPv6" },

ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddress"}]

uint16 PeerAddressType;

[Key, Description (

"The string representation of the IP address of the peer "

"formatted according to the appropriate convention as "

"defined in the PeerAddressType property of this class "

"(e.g., 171.79.6.40)."),

ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddressType"}]

string PeerAddress;

};

// ==================================================================

// IPsecProtectionSuite

// ==================================================================

[Description ("IPsecProtectionSuite represents the collection "

"of SAs negotiated as a set by IKE. A protection suite may "

"consist of up to 6 individual SAs (incoming and outgoing "

"SAs for AH, ESP, and IPCOMP)") ]

class CIM_IPsecProtectionSuite : CIM_Collection

{

[Key, MaxLen (256), Description (

"CreationClassName indicates the name of the class or the "

"subclass used in the creation of an instance. When used "

"with the other key properties of this class, this property "

"allows all instances of this class and its subclasses to "

"be uniquely identified.") ]

string CreationClassName;

[Key, MaxLen (256), Description (

"The Name property uniquely identifies the Service and "

"provides an indication of the functionality that is "

"managed. This functionality is described in more detail in "

"the object's Description property. ") ]

string Name;

[Propagated ("CIM_IPProtocolEndpoint.SystemCreationClassName"),

Key, MaxLen (256), Description (

"The scoping System's CreationClassName. ") ]

string SystemCreationClassName;

[Propagated ("CIM_IPProtocolEndpoint.SystemName"), Key,

MaxLen (256), Description ("The scoping System's Name.") ]

string SystemName;

[Propagated ("CIM_IPProtocolEndpoint.CreationClassName"), Key,

MaxLen (256), Description (

"The scoping IPProtocolEndpoint's CreationClassName. ") ]

string SAPCreationClassName;

[Propagated ("CIM_IPProtocolEndpoint.Name"), Key,

MaxLen (256), Description (

"The scoping IPProtocolEndpoint's Name.") ]

string SAPName;

};

// ==================================================================

// IKEIdentity

// ==================================================================

[Description ("IKEIdentity is used to represent the "

"identities that may be used for an IPProtocolEndpoint (or "

"collection of IPProtocolEndpoints) to identify the "

"IKEService in IKE phase 1 negotiations. The policy "

"IKEAction.UseIKEIdentityType specifies which type of the "

"available identities to use in a negotiation exchange and "

"the IKERule.IdentityContexts specifies the match values to "

"be used, along with the local address, in selecting the "

"appropriate identity for a negotiation. The ElementID "

"property value should be that of either the "

"IPProtocolEndpoint or Collection of endpoints as "

"appropriate.") ]

class CIM_IKEIdentity : CIM_UsersAccess

{

[Description ("The IdentityType specifies the type of IKE "

"Identity."),

ValueMap

{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},

Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",

"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",

"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},

ModelCorrespondence {"CIM_IKEAction.UseIKEIdentity",

"CIM_IKEIdentity.IdentityValue"}]

uint16 IdentityType;

[Description ("IdentityValue contains a string encoding of "

"the Identity payload. For IKEIdentity instances that are "

"address types, the IdentityValue string value may be "

"omitted and the associated IPProtocolEndpoint or "

"appropriate member of the Collection of endpoints is used."),

ModelCorrespondence {"CIM_IKEIdentity.IdentityType"}]

string IdentityValue;

[Description (

"The IdentityContexts property is used to constrain the use "

"of IKEIdentity instances to match that specified in the "

"IKERule.IdentityContexts. The IdentityContexts are "

"formatted as policy roles and role combinations. Each "

"value represents one context or context combination. Since "

"this is a multi-valued property, more than one context or "

"combination of contexts can be associated with a single "

"IKEIdentity. Each value is a string of the form:\n"

" <ContextName>[&&<ContextName>]*\n"

"where the individual context names appear in alphabetical "

"order (according to the collating sequence for UCS-2). "

"If one or more values in the IKERule.IdentityContexts array "

"match one or more IKEIdentity.IdentityContexts then the "

"identity's context matches. (That is, each value of the "

"IdentityContext array is an ORed condition.) In "

"combination with the address of the IPProtocolEndpoint and "

"IKEAction.UseIKEIdentityType, there should be 1 and only 1 "

"IKEIdentity." ),

ModelCorrespondence {"CIM_IKERule.IdentityContexts" } ]

string IdentityContexts [];

};

// ==================================================================

// SecurityAssociation

// ==================================================================

[Description ("SecurityAssociation (SA) subclasses are used "

"to represent the protocol endpoint of the secure connection "

"established with the IKE/ISAKMP protocol. An SA is used for "

"each direction of flow.") ]

class CIM_SecurityAssociation : CIM_ProtocolEndpoint

{

[Description (

"TimeOfCreation records when the SA was created")]

datetime TimeOfCreation;

[Description ("LifetimeSeconds specifies the maximum time SA "

"will be considered valid after it has been created."),

Units("Seconds") ]

uint32 LifetimeSeconds;

[Description ("RefreshThresholdSeconds is the lifetime "

"percentage at which IKE should automatically attempt to "

"acquire a new SA before the existing SA expires. A random "

"period may be added to a calculated threshold to reduce "

"network thrashing.")]

uint8 RefreshThresholdSeconds;

[Description ("LastAccessed enables deletion if SA is idle "

"too long.")]

datetime LastAccessed;

[Description ("IdleDurationSeconds specifies how long the SA "

"can be idle before it is deleted. The default value, 0, "

"indicates that there is no idle time out period."),

Units("Seconds")]

uint32 IdleDurationSeconds;

[Description ("How many bytes have been protected by this SA")]

uint32 ByteCount;

[Description ("LifetimeKilobytes specifies the maximum number "

"of kilobytes of data traffic to be protected by the SA. It "

"is deleted SA if LifetimeKilobyte value is exceeded.")]

uint32 LifetimeKilobytes;

[Description ("RefreshThresholdKilobytes is the ByteCount "

"value, expressed as a percentage of the LifetimeKilobytes, "

"at which IKE should begin to renegotiate a new SA. A "

"random value may be added to the calculated threshold to "

"reduce network thrashing.")]

uint8 RefreshThresholdKilobytes;

[Description (

"DoPacketLogging causes a log to be kept of traffic "

"processed by the SA." )]

boolean DoPacketLogging;

};

// ==================================================================

// IKESecurityAssociation

// ==================================================================

[Description ("IKESecurityAssociation is the SA used by IKE "

"to protect key negotiation traffic.") ]

class CIM_IKESecurityAssociation : CIM_SecurityAssociation

{

[Description ("Identifier of the IKE phase 1 negotiation "

"initiator. Combined with the ResponderCookie, this value,"

"in string form, may be used to construct the value of the "

"key field 'Name'." ) ]

uint64 InitiatorCookie;

[Description ("Identifier of the IKE phase 1 negotiation "

"responder. Combined with the InitiatorCookie, this value,"

"in string form, may be used to construct the value of the "

"key field 'Name'." ) ]

uint64 ResponderCookie;

[Description ("How many phase 2 derived keys have been "

"negotiated with this SA." ) ]

uint32 DerivedKeyCount;

[Description ("Delete SA if more than LiftetimeDerivedKeys "

"phase 2 keys derived. A zero value indicates that there is"

"no limit to the number of phase 2 derived keys." ) ]

uint32 LifetimeDerivedKeys;

[Description ("Percentage of LifetimeDerivedKeys at which "

"SA should be refreshed." ) ]

uint8 RefreshThresholdDerivedKeys;

[Description ("CipherAlgorithm is an enumeration that "

"specifies the proposed encryption algorithm."),

ValueMap { "1", "2", "3", "4", "5", "6" },

Values

{"DES", "IDEA", "Blowfish", "RC5", "3DES", "CAST"}]

uint16 CipherAlgorithm;

[Description ("HashAlgorithm is an enumeration that specifies "

"the proposed hash function."),

ValueMap {"1", "2", "3"},

Values {"MD5", "SHA-1", "Tiger" } ]

uint16 HashAlgorithm;

[Description ("GroupId specifies the key exchange group ID. "

"If the GroupID number is from the vendor-specific range "

"(32768-65535), the VendorID qualifies the group number. "

"Well-known group identifiers from RFC2412 are:\n"

"1='DH768', 2='DH1024', 3='ECC2N155', 4='ECC2N185', and "

"5='DH1536'"),

ModelCorrespondence {"CIM_IKESecurityAssociation.VendorID"}]

uint16 GroupId;

[Description ("VendorID identifies the vendor ID for "

"vendor-defined algorithms."),

ModelCorrespondence {"CIM_IKESecurityAssociation.GroupId"}]

string VendorID;

};

// ==================================================================

// IPsecSecurityAssociation

// ==================================================================

[Description ("IPsecSecurityAssociation is used to represent "

"both negotiated and static SAs that correspond to AH, ESP, "

"or IPCOMP.") ]

class CIM_IPsecSecurityAssociation : CIM_SecurityAssociation

{

[Description ("SPI contains the Security Parameter Index of "

"the SA. This value in string form may also be used in "

"the key field 'Name' inherited from ServiceAccessPoint. ")]

uint32 SPI;

[Description ("EncapsulationMode indicates whether the "

"security association is for a transport or tunnel "

"encapsulation mode."),

ValueMap {"1", "2"},

Values {"Tunnel", "Transport"}]

uint16 EncapsulationMode;

[Description (

"DFHandling controls how the Don't Fragment bit "

"is managed by the tunnel. " ),

ValueMap {"1", "2", "3"},

Values {"Copy", "Set", "Clear"}]

uint16 DFHandling;

};

// ==================================================================

// DiscardSecurityAssociation

// ==================================================================

[Description ("DiscardSecurityAssociation is the SA type that "

"causes packets to be dropped.") ]

class CIM_DiscardSecurityAssociation: CIM_SecurityAssociation

{

};

// ==================================================================

// BypassSecurityAssociation

// ==================================================================

[Description ("BypassSecurityAssociation is the SA type that "

"causes packets to be sent in the clear.") ]

class CIM_BypassSecurityAssociation: CIM_SecurityAssociation

{

};

// ==================================================================

// AutostartIKEConfiguration

// ==================================================================

[Description ("AutostartIKEConfiguration object allows the "

"grouping of sets of AutostartIKESetting instances.") ]

class CIM_AutostartIKEConfiguration : CIM_SystemConfiguration

{

};

// ==================================================================

// AutostartIKESetting

// ==================================================================

[Description ("AutostartIKESetting instances are used to "

"automatically initiate IKE negotiations with peers (or "

"statically create an SA) as specified in the "

"AutostartIKESetting properties. Appropriate actions are "

"initiated according to the policy that matches the setting "

"parameters.") ]

class CIM_AutostartIKESetting : CIM_SystemSetting

{

[Description (

"Phase1Only is used to limit the IKE negotiation to just "

"setting up a phase 1 security association. When set to "

"False, both phase 1 and 2 negotiations are initiated.") ]

boolean Phase1Only;

[Description (

"An enumeration that describes the format of the source and "

"destination address properties."),

ValueMap { "0", "1", "2" },

Values { "Unknown", "IPv4", "IPv6" },

ModelCorrespondence {"CIM_AutostartIKESetting.SourceAddress",

"CIM_AutostartIKESetting.DestinationAddress"}]

uint16 AddressType;

[Description (

"The dotted-decimal or colon-decimal formatted IP address "

"used as the source address in comparing with policy "

"filter entries and used in any phase 2 negotiations."),

ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]

string SourceAddress;

[Description (

"The port number used as the source port in comparing "

"with policy filter entries and used in any phase "

"2 negotiations.")]

uint16 SourcePort;

[Description (

"The dotted-decimal or colon-decimal formatted IP address "

"used as the destination address in comparing with policy "

"filter entries and used in any phase 2 negotiations."),

ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]

string DestinationAddress;

[Description (

"The port number used as the destination port in comparing "

"with policy filter entries and used in any phase 2 "

"negotiations.")]

uint16 DestinationPort;

[Description (

"The protocol number used in comparing with policy filter "

"entries and used in any phase 2 negotiations.")]

uint8 Protocol;

};

/////////////////////////////////////////////////////////////////////

//*******************************************************************

// Associations

//*******************************************************************

/////////////////////////////////////////////////////////////////////

// ==================================================================

// SAConditionInRule

// ==================================================================

[ Association, Aggregation, Description (

"SAConditionInRule aggregates an SARule with the set of "

"SACondition instances that trigger it.") ]

class CIM_SAConditionInRule : CIM_PolicyConditionInPolicyRule

{

[Aggregate, Override ("GroupComponent"), Description (

"An SARule subclass of PolicyRule." ) ]

CIM_SARule REF GroupComponent;

[Override ("PartComponent"), Min(1), Description (

"An SACondition subclass of PolicyCondition. " ) ]

CIM_SACondition REF PartComponent;

};

// ==================================================================

// FilterOfSACondition

// ==================================================================

[ Association, Description (

"FilterOfSACondition associates a network traffic "

"specification (FilterList) with a SARule's SACondition." ) ]

class CIM_FilterOfSACondition : CIM_Dependency

{

[Override ("Antecedent"), Min(1), Max(1), Description (

"A FilterList describes the traffic that will specify the "

"traffic to be filtered that is part of the SACondition of "

"a policy rule. " ) ]

CIM_FilterList REF Antecedent;

[Override ("Dependent"), Description (

"This is the SACondition that uses this FilterList to form "

"a policy rule. " ) ]

CIM_SACondition REF Dependent;

};

// ==================================================================

// AcceptCredentialsFrom

// ==================================================================

[Association, Description (

"This is used to specify which credential management service "

"(e.g., a CertificateAuthority or a Kerberos service) is to "

"be trusted to certify peer credentials. This is used to "

"validate that the credential being matched in the "

"CredentialFilterEntry is a valid credential that has been "

"supplied by an approved CredentialManagementService. " ) ]

class CIM_AcceptCredentialsFrom : CIM_Dependency

{

[Override ("Antecedent"),

Description ("The CredentialManagementService that is issuing "

"the credential to be used in the SACondition. " ) ]

CIM_CredentialManagementService REF Antecedent;

[Override ("Dependent"),

Description ("SACondition that contains the credential. " ) ]

CIM_SACondition REF Dependent;

};

// ==================================================================

// SAActionInRule

// ==================================================================

[Association, Aggregation, Description (

"SAActionInRule aggregates SAActions into SARules In "

"SAActionInRule, the combination of the ActionOrder value and "

"the FallbackOrder value MUST be unique so as to specify a "

"deterministic execution strategy. An ActionOrder value "

"specifies a set of actions to be attempted and the order in "

"which to attempt the set with respect to other ActionOrder "

"sets. The FallbackOrder specifies the order in which to "

"attempt the actions within the set.\n"

"\n"

"For example, {ActionOrder=1,FallbackOrder=1} is the backup "

"action for {ActionOrder=1,FallbackOrder=0} and {ActionOrder=2,"

"FallbackOrder=1} is the backup action for {ActionOrder=2,"

"FallbackOrder=0}. In this example, {1,0} will be attempted "

"and, if it fails or is otherwise inappropriate, {1,1} is then "

"attempted. Regardless of which of these, if any, succeeds, "

"{2,0} is then attempted, and so on.\n"

"\n"

"In an initiator role, if there is more than one action in the "

"rule, the ActionOrder identified sets are executed as described "

"above using the FallbackOrder to determin ethe order in which "

"to attempt actions within a set, i.e., the additional actions "

"with the same ActionOrder value are 'backup' actions in the "

"event that the first action is not able to be completed "

"successfully. Within each ActionOrder identified set. they are "

"tried in the FallbackOrder until the list is exhausted or one "

"completes successfully.\n"

"\n"

"In a responder role, it is an error to have more than one "

"ActionOrder set in the rule however, there may be more than one "

"action each identified by a unique FallbackOrder value. The "

"additional actions provide alternative actions depending on the "

"received proposals. For example, the same rule may be used to "

"handle aggressive mode and main mode message flows with "

"different actions. The first appropriate action in the list of "

"actions is used by the responder.")]

class CIM_SAActionInRule : CIM_PolicyActionInPolicyRule

{

[Aggregate, Override ("GroupComponent"), Description (

"An SARule that contains one or more SAActions. " ) ]

CIM_SARule REF GroupComponent;

[Override ("PartComponent"), Min(1), Description (

"An SAAction subclass of PolicyAction which is aggregated "

"into this SARule. " ) ]

CIM_SAAction REF PartComponent;

[Override ("ActionOrder"), Description (

"ActionOrder is an unsigned integer that indicates the "

"relative position of this SAAction in the sequence of "

"actions associated with a PolicyRule.\n"

"\n"

"In SAActionInRule, the ActionOrder is used in conjunction "

"with the FallbackOrder to determine the order in which "

"actions are attempted. The ActionOrder value identifies a "

"set of actions. The combination of the ActionOrder and the "

"FallbackOrder MUST be unique so as to specify a "

"deterministic execution strategy.")]

uint16 ActionOrder;

[Description (

"FallbackOrder is an unsigned integer that indicates the "

"order in which actions in the same ActionOrder-identified "

"set are attempted. The lowest-numbered FallbackOrder within "

"a set is the first attempted, others are used, in order as "

"backups. The combination of the ActionOrder and the "

"FallbackOrder MUST be unique so as to specify a "

"deterministic execution strategy.")]

uint16 FallbackOrder;

};

// ==================================================================

// IPsecPolicyForSystem

// ==================================================================

[Association, Description (

"IPsecPolicyForSystem associates an IPsec policy with a "

"specific system (e.g., a host or a network device. If an "

"IPProtocolEndpoint of a system does not have an "

"IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the "

"IPsecPolicyForSystem-associated IPsecPolicyGroup is used for "

"that endpoint. " ) ]

class CIM_IPsecPolicyForSystem : CIM_Dependency

{

[Override ("Antecedent"), Description ("A System to which the "

"IPsecPolicyGroup applies. " ) ]

CIM_System REF Antecedent;

[Override ("Dependent"), Min(0), Max(1),

Description ("The IPsecPolicyGroup that is to be used for "

"endpoints that do not have an associated IPsecPolicyGroup.") ]

CIM_IPsecPolicyGroup REF Dependent;

};

// ==================================================================

// IPsecPolicyForEndpoint

// ==================================================================

[Association, Description (

"IPsecPolicyForEndpoint associates an IPsecPolicyGroup "

"with a specific network interface. If an IPProtocolEndpoint "

"of a system does not have an "

"IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the "

"IPsecPolicyForSystem associated IPsecPolicyGroup is used for "

"that endpoint. " ) ]

class CIM_IPsecPolicyForEndpoint : CIM_Dependency

{

[Override ("Antecedent"), Description (

"The IPProtocolEndpoint that identifies an interface "

"to which the IPsecPolicyGroup applies.") ]

CIM_IPProtocolEndpoint REF Antecedent;

[Override ("Dependent"), Min (0), Max (1), Description (

"IPsecPolicyGroup used for the interface.") ]

CIM_IPsecPolicyGroup REF Dependent;

};

// ==================================================================

// RuleForIPsecNegotiation

// ==================================================================

[Association, Aggregation, Description (

"RuleForIPsecNegotiation associates an IPsecRule with the "

"IPsecPolicyGroup that contains it. This is used to contain "

"the phase 2 rules to control IKE negotiation. \n\n"

"ContainingGroup is restricted to a cardinality of 1. This "

"means that the IPsecRule instances are not sharable across "

"multiple policy groups. " ) ]

class CIM_RuleForIPsecNegotiation : CIM_PolicyRuleInPolicyGroup

{

[Aggregate, Override ("GroupComponent"), Min(1), Max(1),

Description ("An IPsecPolicyGroup that aggregates a set of "

"policy rules. " ) ]

CIM_IPsecPolicyGroup REF GroupComponent;

[Override ("PartComponent"), Description (

"A policy rule aggregated into a set of policy rules, "

"forming an atomic policy group. " ) ]

CIM_IPsecRule REF PartComponent;

};

// ==================================================================

// RuleForIKENegotiation

// ==================================================================

[ Association, Aggregation, Description (

"RuleForIKENegotiation associates an IKERule with the "

"IPsecPolicyGroup that contains it. This is used to control "

"phase 1 IKE negotiation. \n\n"

"ContainingGroup is restricted to a cardinality of 1. This "

"means that the IKERule instances are not sharable across "

"multiple policy groups. " ) ]

class CIM_RuleForIKENegotiation : CIM_PolicyRuleInPolicyGroup

{

[Aggregate, Override ("GroupComponent"), Min(1), Max(1),

Description ("An IPsecPolicyGroup that aggregates a set of "

"policy rules. " ) ]

CIM_IPsecPolicyGroup REF GroupComponent;

[Override ("PartComponent"), Description (

"A policy rule aggregated into a set of policy rules, "

"forming an atomic policy group. " ) ]

CIM_IKERule REF PartComponent;

};

// ==================================================================

// ContainedProposal

// ==================================================================

[Association, Aggregation, Description (

"ContainedProposal holds the ordered list of SA proposals "

"for a SANegotiationAction. " ) ]

class CIM_ContainedProposal: CIM_PolicyComponent

{

[Aggregate, Override ("GroupComponent"), Description (

"SANegotiationAction for this list of proposals. " ) ]

CIM_SANegotiationAction REF GroupComponent;

[Override ("PartComponent"), Description (

"SAProposal in this action. " ) ]

CIM_SAProposal REF PartComponent;

[Description (

"SequenceNumber indicates the ordering to be used when "

"chosing from among the proposals; lower values are "

"preferred by the sender. " ) ]

uint16 SequenceNumber;

};

// ==================================================================

// FilterOfSecurityAssociation

// ==================================================================

[Association, Description (

"FilterOfSecurityAssociation associates a network traffic "

"specification (i.e., a FilterList) with a set of "

"SecurityAssociations to which the filter list applies. " ) ]

class CIM_FilterOfSecurityAssociation : CIM_Dependency

{

[Override ("Antecedent"), Min(1), Max(1), Description (

"FilterList describing the traffic to be matched against. " ) ]

CIM_FilterList REF Antecedent;

[Override ("Dependent"), Description ("SecurityAssociation "

"using the FilterList for its selector. " ) ]

CIM_SecurityAssociation REF Dependent;

};

// ==================================================================

// IKEUsesCredentialManagementService

// ==================================================================

[Association, Description (

"IKEUsesCredentialManagementService defines the set of "

"CredentialManagementService(s) that are trusted sources "

"of credentials for IKE phase 1 negotiations. " ) ]

class CIM_IKEUsesCredentialManagementService : CIM_Dependency

{

[Override ("Antecedent"), Description (

"CredentialManagementService trusted for the IKE "

"negotiation.") ]

CIM_CredentialManagementService REF Antecedent;

[Override ("Dependent"),

Description (

"IKEService that is using the credentials issued by the "

"trusted CredentialManagementService. " ) ]

CIM_IKEService REF Dependent;

};

// ==================================================================

// TransformOfPreconfiguredAction

// ==================================================================

[ Association, Description (

"TransformOfPreconfiguredAction defines the transforms used "

"by a preconfigured IPsec action.") ]

class CIM_TransformOfPreconfiguredAction : CIM_Dependency

{

[Override ("Antecedent"), Min(1), Max(3),

Description (

"This defines the type of transform that the Preconfigured "

"SA Action will be applied to. The cardinality enables an "

"action to be applied to an AH, an ESP, or an IPCOMP "

"transform. " ) ]

CIM_SATransform REF Antecedent;

[Override ("Dependent"),

Description (

"This defines the Preconfigured IPsec action to be applied "

"to the AH, ESP, or IPCOMP transform. " ) ]

CIM_PreconfiguredSAAction REF Dependent;

[Description (

"The SPI property specifies the security parameter index to "

"be used by the pre-configured action for the associated "

"transform." ) ]

uint32 SPI;

};

// ==================================================================

// SAProposalInSystem

// ==================================================================

[Association, Description (

"SAProposalInSystem provides the scoping relationship for "

"SAProposals in a System. The SAProposal is weak to the "

"System." ) ]

class CIM_SAProposalInSystem : CIM_PolicyInSystem

{

[Override ("Antecedent"), Min (1), Max (1), Description (

"This property identifies a System scoping one or more "

"proposals.") ]

CIM_System REF Antecedent;

[Override ("Dependent"), Weak, Description (

"An SAProposal that is in the System.")]

CIM_SAProposal REF Dependent;

};

// ==================================================================

// SATransformInSystem

// ==================================================================

[Association, Description (

"SATransformInSystem provides the scoping relationship for "

"SATRansforms in a System. The SATransform is weak to the "

"System." ) ]

class CIM_SATransformInSystem : CIM_PolicyInSystem

{

[Override ("Antecedent"), Min (1), Max (1), Description (

"This property identifies a System scoping one or more "

"transforms.") ]

CIM_System REF Antecedent;

[Override ("Dependent"), Weak, Description (

"An SATransform that is in the System.")]

CIM_SATransform REF Dependent;

};

// ==================================================================

// HostedPeerIdentityTable

// ==================================================================

[Association, Description ("HostedPeerIdentityTable provides the "

"scoping relationship for PeerIdentityTable entries in a "

"System. The PeerIdentityTable is weak to the System." ) ]

class CIM_HostedPeerIdentityTable: CIM_Dependency

{

[Override ("Antecedent"), Min (1), Max (1), Description (

"This property identifies a System scoping one or more "

"PeerIdentityTable instances.") ]

CIM_System REF Antecedent;

[Override ("Dependent"), Weak, Description (

"A PeerIdentityTable that is in the System.")]

CIM_PeerIdentityTable REF Dependent;

};

// ==================================================================

// RuleThatGeneratedSA

// ==================================================================

[Association, Description (

"RuleThatGeneratedSA associates a SecurityAssociation with "

"the rule used to generate (or negotiate) it.") ]

class CIM_RuleThatGeneratedSA : CIM_Dependency

{

[Override ("Antecedent"), Min (0), Max (1),

Description ("SARule that led to the SecurityAssociation.") ]

CIM_SARule REF Antecedent;

[Override ("Dependent"),

Description ("SecurityAssociation created using the rule.") ]

CIM_SecurityAssociation REF Dependent;

};

// ==================================================================

// TransformOfSecurityAssociation

// ==================================================================

[Association, Description (

"TransformOfSecurityAssociation maps an SA with the transform "

"it uses. For security reasons, no keying material of the SA "

"is exposed." ) ]

class CIM_TransformOfSecurityAssociation : CIM_Dependency

{

[Override ("Antecedent"), Min (1), Max (1),

Description ("Transform of this SA.") ]

CIM_SATransform REF Antecedent;

[Override ("Dependent"),

Description ("Security association.") ]

CIM_IPsecSecurityAssociation REF Dependent;

};

// ==================================================================

// PeerGatewayOfSecurityAssociation

// ==================================================================

[Association, Description (

"PeerGatewayOfSecurityAssociation identifies the PeerGateway "

"of an SA that has a security gateway as the peer.") ]

class CIM_PeerGatewayOfSecurityAssociation : CIM_Dependency

{

[Override ("Antecedent"), Max (1),

Description ("PeerGateway for the SA.") ]

CIM_PeerGateway REF Antecedent;

[Override ("Dependent"),

Description ("Security association with the PeerGateway.") ]

CIM_IPsecSecurityAssociation REF Dependent;

};

// ==================================================================

// IKEServicePeerGateway

// ==================================================================

[Association, Description (

"IKEServicePeerGateway provides the relationship between an "

"IKEService and the list of PeerGateway instances that it "

"uses in negotiating with security gateways.") ]

class CIM_IKEServicePeerGateway : CIM_Dependency

{

[Override ("Antecedent"),

Description ("The PeerGateway") ]

CIM_PeerGateway REF Antecedent;

[Override ("Dependent"), Description (

"The IKEService that uses information about the "

"peer gateway.") ]

CIM_IKEService REF Dependent;

};

// ==================================================================

// IKEServiceForEndpoint

// ==================================================================

[Association, Description (

"IKEServiceForEndpoint provides the relationship "

"showing which IKE service, if any, provides IKE "

"negotiation services for which network interfaces.") ]

class CIM_IKEServiceForEndpoint : CIM_Dependency

{

[Override ("Antecedent"), Max (1),

Description ("The IKEService that performs IKE negotiation "

"for the IPProtocolEndpoint.") ]

CIM_IKEService REF Antecedent;

[Override ("Dependent"),

Description ("IPProtocolEndpoint for which services are "

"provided.") ]

CIM_IPProtocolEndpoint REF Dependent;

};

// ==================================================================

// IKEServicePeerIdentityTable

// ==================================================================

[Association, Description (

"IKEServicePeerIdentityTable provides the relationship "

"between an IKEService and a PeerIdentityTable that it "

"uses to map between addresses and identities where "

"required.") ]

class CIM_IKEServicePeerIdentityTable: CIM_Dependency

{

[Override ("Antecedent"),

Description ("The PeerIdentityTable.") ]

CIM_PeerIdentityTable REF Antecedent;

[Override ("Dependent"),

Description ("The IKEService that uses the table.") ]

CIM_IKEService REF Dependent;

};

// ==================================================================

// IKESAUsedForPhase2

// ==================================================================

[Association, Description (

"IKESAUsedForPhase2 associates a phase 1 "

"IKESecurityAssociation with an "

"IPsecSecurityAssociation that was negotiated using "

"that Phase 1 SA.") ]

class CIM_IKESAUsedForPhase2 : CIM_Dependency

{

[Override ("Antecedent"), Max (1), Description (

"Phase 1 SA that protected the negotiation of "

"the Phase 2 SA.") ]

CIM_IKESecurityAssociation REF Antecedent;

[Override ("Dependent"), Description (

"Phase 2 SA.") ]

CIM_IPsecSecurityAssociation REF Dependent;

};

// ==================================================================

// PeerCredential

// ==================================================================

[Association, Description (

"PeerCredential is an association that identifies the "

"credential of the peer corresponding to an IKE SA.") ]

class CIM_PeerCredential : CIM_Dependency

{

[Override ("Antecedent"), Max (1),

Description ("Credential of the peer.") ]

CIM_Credential REF Antecedent;

[Override ("Dependent"),

Description ("Phase 1 SA for this peer.") ]

CIM_IKESecurityAssociation REF Dependent;

};

// ==================================================================

// IPProtocolEndpointsProtectionSuite

// ==================================================================

[Association, Description (

"IPProtocolEndpointsProtectionSuite provides the "

"relationship between an IPsecProtectionSuite and the scoping "

"IPProtocolEndpoint for which the set of related SAs provide "

"traffic protection. The IPsecProtectionSuite is weak to its "

"IPProtocolEndpoint.") ]

class CIM_IPProtocolEndpointsProtectionSuite: CIM_Dependency

{

[Override ("Antecedent"), Min (1), Max (1),

Description (

"An IPProtocolEndpoint for which protection is provided.") ]

CIM_IPProtocolEndpoint REF Antecedent;

[Override ("Dependent"), Weak, Description (

"A protection suite.") ]

CIM_IPsecProtectionSuite REF Dependent;

};

// ==================================================================

// SecurityAssociationBindsTo

// ==================================================================

[Association, Description (

"SecurityAssociationBindsTo associates an IPProtocolEndpoint "

"with an active SecurityAssociation on that endpoint.") ]

class CIM_SecurityAssociationBindsTo : CIM_BindsTo

{

[Override ("Antecedent"), Min (1), Max (1),

Description (

"IPProtocolEndpoint representing the network "

"interface on which an SA is active." ) ]

CIM_IPProtocolEndpoint REF Antecedent;

[Override ("Dependent"), Description (

"Security association on the endpoint." ) ]

CIM_SecurityAssociation REF Dependent;

};

// ==================================================================

// ProvidesSA

// ==================================================================

[Association, Description (

"ProvidesSA represents the relationship between an "

"IKEService that provides the negotiation functions "

"and manages the associated security association." ) ]

class CIM_ProvidesSA: CIM_ProvidesEndpoint

{

[Override ("Antecedent"), Max (1), Description (

"The IKEService that provides the SA.")]

CIM_IKEService REF Antecedent;

[Override ("Dependent"), Description (

"Security association provided by the service.") ]

CIM_SecurityAssociation REF Dependent;

};

// ==================================================================

// IKEIdentitysCredential

// ==================================================================

[Association, Description (

"IKEIdentitysCredential is an association that "

"relates a set of credentials to their "

"corresponding local IKE Identities." ) ]

class CIM_IKEIdentitysCredential : CIM_UsersCredential

{

[Override ("Antecedent"), Description (

"Credential of the Identity.") ]

CIM_Credential REF Antecedent;

[Override ("Dependent"), Description (

"Identity associated with the credential.") ]

CIM_IKEIdentity REF Dependent;

};

// ==================================================================

// EndpointHasLocalIKEIdentity

// ==================================================================

[Association, Description (

"EndpointHasLocalIKEIdentity associates an "

"IPProtocolEndpoint with a set of IKE "

"Identities for that may be used in negotiating "

"SAs on the endpoint. " ) ]

class CIM_EndpointHasLocalIKEIdentity : CIM_ElementAsUser

{

[Override ("Antecedent"), Max (1), Description (

"IPProtocolEndpoint that has an IKE identity.") ]

CIM_IPProtocolEndpoint REF Antecedent;

[Override ("Dependent"), Description (

"An IKE Identity for the endpoint.") ]

CIM_IKEIdentity REF Dependent;

};

// ==================================================================

// CollectionHasLocalIKEIdentity

// ==================================================================

[Association, Description (

"CollectionHasLocalIKEIdentity associates a Collection "

"of IPProtocolEndpoints with a set of IKE Identities "

"that may be used in negotiating SAs for "

"these endpoints.") ]

class CIM_CollectionHasLocalIKEIdentity : CIM_ElementAsUser

{

[Override ("Antecedent"), Max (1), Description (

"Collection that has an Identity.") ]

CIM_Collection REF Antecedent;

[Override ("Dependent"), Description (

"IKE Identity used for the Collection.") ]

CIM_IKEIdentity REF Dependent;

};

// ==================================================================

// ContainedTransform

// ==================================================================

[Association, Aggregation, Description (

"ContainedTransform associates a proposal with its set "

"of transforms. If multiple transforms of a given type are "

"in a given proposal, these transforms are interpreted as "

"alternatives -- logically ORed with each other. Sets of "

"transforms of different types are logically ANDed. For "

"example, a proposal aggregating two AH transforms and three "

"ESP transforms means one of the AH transforms must be chosen "

"AND one of the ESP transforms must be chosen.") ]

class CIM_ContainedTransform : CIM_PolicyComponent

{

[Aggregate, Override ("GroupComponent"), Description (

"Proposal containing transforms.") ]

CIM_IPsecProposal REF GroupComponent;

[Override ("PartComponent"), Min (1), Description (

"Transforms in the proposal.") ]

CIM_SATransform REF PartComponent;

[Description (

"SequenceNumber indicates the ordering to be used when "

"choosing from among the transforms; lower values are "

"preferred by the sender.")]

uint16 SequenceNumber;

};

// ==================================================================

// ContainedSA

// ==================================================================

[Association, Aggregation, Description (

"ContainedSA associates a protection suite with its member "

"IPsec security associations. Security associations are "

"contained in sending/receiving pairs and there may be any or "

"all of an AH pair, ESP pair or an IPCOMP pair of SAs.") ]

class CIM_ContainedSA : CIM_MemberOfCollection

{

[Aggregate, Override ("Collection"), Min (1), Max (1),

Description (

"Protection suite.") ]

CIM_IPsecProtectionSuite REF Collection;

[Override ("Member"), Min (2), Max (6), Description (

"Contained SAs.") ]

CIM_IPsecSecurityAssociation REF Member;

};

// ==================================================================

// PeerIdentityMember

// ==================================================================

[Association, Aggregation, Description (

"PeerIdentityMember aggregates PeerIdentityEntry "

"instances into a PeerIdentityTable. This is a "

"weak aggregation.") ]

class CIM_PeerIdentityMember : CIM_MemberOfCollection

{

[Aggregate, Override ("Collection"), Min (1), Max (1),

Description (

"Aggregating PeerIdentityTable.") ]

CIM_PeerIdentityTable REF Collection;

[Override ("Member"), Weak, Description (

"Table entry") ]

CIM_PeerIdentityEntry REF Member;

};

// ==================================================================

// PeerGatewayForTunnel

// ==================================================================

[Association, Description (

"PeerGatewayForTunnel identifies the PeerGateway to be used "

"in constructing a tunnel. " ) ]

class CIM_PeerGatewayForTunnel : CIM_Dependency

{

[Override ("Antecedent"), Description (

"PeerGateway for the SA. " ) ]

CIM_PeerGateway REF Antecedent;

[Override ("Dependent"), Description (

"IPsecTunnelAction that requires a PeerGateway. " ) ]

CIM_IPsecTunnelAction REF Dependent;

[Description ("SequenceNumber indicates the ordering to be "

"used when selecting a PeerGateway instance for an "

"IPsecTunnelAction. Lower values are "

"evaluated first. " ) ]

uint16 SequenceNumber;

};

// ==================================================================

// PeerGatewayForPreconfiguredTunnel

// ==================================================================

[Association, Description (

"PeerGatewayForPreconfiguredTunnel identifies the PeerGateway "

"to be used in constructing a preconfigured tunnel. " ) ]

class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency

{

[Override ("Antecedent"), Max (1), Description (

"PeerGateway for the preconfigured SA. " ) ]

CIM_PeerGateway REF Antecedent;

[Override ("Dependent"), Description (

"PreconfiguredTunnelAction that requires a PeerGateway. " ) ]

CIM_PreconfiguredTunnelAction REF Dependent;

};

// ==================================================================

// HostedPeerGatewayInformation

// ==================================================================

[Association, Description (

"HostedPeerGatewayInformation provides the scoping "

"association for PeerGateway information used by IKE "

"services to identify PeerGateways used in a policy." ) ]

class CIM_HostedPeerGatewayInformation : CIM_Dependency

{

[Override ("Antecedent"), Min (1), Max (1),

Description (

"Scoping System.") ]

CIM_System REF Antecedent;

[Override ("Dependent"), Weak, Description (

"PeerGateway.") ]

CIM_PeerGateway REF Dependent;

};

// ==================================================================

// IKEAutostartConfiguration

// ==================================================================

[Association, Description ("IKEAutostartConfiguration "

"provides the relationship between an IKEService and a "

"configuration set that it uses to automatically start a set "

"of SAs.")]

class CIM_IKEAutostartConfiguration: CIM_Dependency

{

[Override ("Antecedent"),

Description ("The configuration used.") ]

CIM_AutostartIKEConfiguration REF Antecedent;

[Override ("Dependent"),

Description ("The IKEService that uses the configuration.") ]

CIM_IKEService REF Dependent;

[Description ("Active indicates whether the configuration set "

"is currently active for the associated IKEService. That is, "

"at boot time, the active configuration is used to autostart "

"IKE negotitations and create static SAs as appropriate.")]

boolean Active;

};

// ==================================================================

// IKEAutostartSetting

// ==================================================================

[Association, Description ("IKEAutostartSetting associates an "

"IKEService and an AutostartIKESetting that it uses to "

"automatically start negotiating one or more SAs.") ]

class CIM_IKEAutostartSetting : CIM_ElementSetting

{

[Override ("Element"),

Description ("IKEService that uses the setting.") ]

CIM_IKEService REF Element;

[Override ("Setting"), Description ("Setting that tells the "

"IKEService what to negotiate.") ]

CIM_AutostartIKESetting REF Setting;

};

// ==================================================================

// AutostartIKESettingContext

// ==================================================================

[Association, Aggregation, Description (

"AutostartIKESettingContext aggregates the settings used to "

"autostart SA negotiations into a configuration set.") ]

class CIM_AutostartIKESettingContext : CIM_SystemSettingContext

{

[Aggregate, Override ("Context"),

Description ("A configuration set.") ]

CIM_AutostartIKEConfiguration REF Context;

[Override ("Setting"), Description ("A setting that is part "

"of the configuration set.") ]

CIM_AutostartIKESetting REF Setting;

[Description ("SequenceNumber indicates the ordering to be "

"used when starting negotiations or creating a static SA. "

"A zero value indicates that order is not significant and "

"settings may be applied in parallel with other settings. "

"All other settings in the configuration are executed in "

"sequence from lower values to high. Sequence numbers need "

"not be unique in an AutostartIKEConfiguration and order is "

"not significant for settings with the same sequence number.")]

uint16 SequenceNumber;

};

// ===================================================================

// end of file

// ===================================================================

Legend:

Removed from v.1.1
changed lines
	Added in v.1.2

No CVS admin address has been configured