version 1.1, 2001/08/07 11:08:21
|
version 1.2, 2001/12/13 14:53:17
|
|
|
|
// =================================================================== |
|
// Title: Network MOF Specification 2.6 for IPsec Policy |
|
// Filename: CIM_Network26_Add.mof |
|
// Version: 2.6 |
|
// Release: 0 |
|
// Date: 05/22/2001 |
|
// =================================================================== |
|
// Copyright "2001" Distributed Management Task Force, Inc. (DMTF). |
|
// All rights reserved. |
|
// DMTF is a not-for-profit association of industry members dedicated |
|
// to promoting enterprise and systems management and interoperability. |
|
// DMTF specifications and documents may be reproduced for uses |
|
// consistent with this purpose by members and non-members, |
|
// provided that correct attribution is given. |
|
// As DMTF specifications may be revised from time to time, |
|
// the particular version and release cited should always be noted. |
|
// Authors: DMTF Network Working Group |
|
// Editors: Victor Lortz, Lee Rafalow, John Strassner |
|
// Last update: Lee Rafalow, 05/22/2001 |
|
// |
|
// Description: These object classes define the IPsec policy model |
|
// for CIM and includes classes needed to represent |
|
// IKE negotiations and the resulting security |
|
// associations. |
|
// |
|
// The object classes below are listed in an order that |
|
// avoids forward references. Required objects, defined |
|
// by other working groups, are omitted. |
|
// |
|
// Changes to initial V2.5 "Preliminary Standard" Release for V2.6: |
|
// CIMCR599 - Updates to IPsec Model to match IETF IPSP Model |
|
// -Update IKERule & IPsecRule descriptions for static |
|
// actions |
|
// -Update IPsecPolicyForSystem to correct the System |
|
// cardinality and descriptions |
|
// -Change SAProposal and SATransform to be weak to |
|
// System instead of weak to PolicyRepository by changing |
|
// SAProposalInPolicyRepository to SAProposalInSystem and |
|
// SATRansformInPolicyRepository to SATRansformInSystem |
|
// -Add DFHandling to PreconfiguredTunnelAction and |
|
// IPsecSecurityAssociation |
|
// -Add UseReplayPrevention & ReplayPreventionWindowSize |
|
// to AHTransform & ESPTransform |
|
// -Clarify SecurityAssociation description |
|
// -Clarify SACondition description to include evaluation |
|
// semantics |
|
// -Clarify IPsecPolicyGroup description to include decision |
|
// strategy semantics & use of PolicySetComponent instead of |
|
// IPsecPolicyGroupInPolicyGroup |
|
// -Clarify SAActionInRule to include action sequencing |
|
// semantics |
|
// -Clarify IKERejectAction description |
|
// -Clarify PeerIdentityEntry.PeerIdentity description |
|
// -Fixed PeerIdentityEntry.PeerAddress description |
|
// -Fixed AutostartIKESetting description |
|
// -Clarified IKEIdentity description |
|
// -Clarified AutostartIKESettingContext description |
|
// -Clarified IKEAutostartConfiguration.Active description |
|
// -Changed CIM_IPsecContainedTransform to |
|
// CIM_ContainedTransform |
|
// -Fixed PeerGatewayForTunnel.SequenceNumber description |
|
// -Added TransformOfPreconfiguredAction.SPI |
|
// -Added SAActionInRule.FallbackOrder and change semantic |
|
// of ActionOrder |
|
// -Added PeerGatewayForPreconfiguredTunnel & |
|
// deleted PreconfiguredTunnelAction PeerGateway properties |
|
// -Remove IPsecPolicyGroupInPolicyGroup in favor of |
|
// PolicySetComponent |
|
// -SaRule description changed to reflect use of |
|
// PolicySetComponent.Priority instead of PolicyRule.Priority |
|
// -Add override description for SARule.ExecutionStrategy |
|
// CIMCR593 - Correct Typos in Propagated Keys in IPsec model |
|
// -Correct PeerIdentityEntry propagated keys |
|
// -Correct IPsecProtectionSuite propagated keys |
|
// |
|
// =================================================================== |
|
// Generic Pragmas |
|
// =================================================================== |
|
|
|
#pragma Locale ("en_US") |
|
|
|
// ================================================================== |
|
// SACondition |
|
// ================================================================== |
|
[Description ( |
|
"SACondition defines the conditions of rules for IKE or " |
|
"IPsec negotiations. Conditions are associated with policy " |
|
"rules via the SAConditionInRule aggregation. It is used as " |
|
"an anchor point to associate various types of filters with " |
|
"policy rules via the FilterOfSACondition association. It " |
|
"also defines whether Credentials can be accepted for a " |
|
"particular policy rule via the AcceptCredentialsFrom " |
|
"association. \n" |
|
"\n" |
|
"Associated objects represent components of the condition " |
|
"that may or may not apply at a given rule evaluation. For " |
|
"example, an AcceptCredentialsFrom evaluation is only " |
|
"performed when a credential is available to be evaluated " |
|
"against the list of trusted credential management services. " |
|
"Similarly, a PeerIDPayloadFilterEntry may only be evaluated " |
|
"when an IDPayload value is available to compared with the " |
|
"filter. Condition components that do not have corresponding " |
|
"values with which to evaluate are evaluated as TRUE unless " |
|
"the protocol has completed without providing the required " |
|
"information.") ] |
|
|
|
class CIM_SACondition : CIM_PolicyCondition |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// CredentialFilterEntry |
|
// ================================================================== |
|
[Description ( |
|
"A CredentialFilterEntry is used to define an equivalence " |
|
"class that match credentials of IKE peers. Each " |
|
"CredentialFilterEntry includes a MatchFieldName that is " |
|
"interpreted according to the CredentialManagementService(s) " |
|
"associated with the SACondition (AcceptCredentialsFrom). " |
|
"These credentials can be X.509 certificates, Kerberos " |
|
"tickets, or other types of credentials obtained during the " |
|
"Phase 1 exchange. " ) ] |
|
|
|
class CIM_CredentialFilterEntry : CIM_FilterEntryBase |
|
{ |
|
[Description ( |
|
"MatchFieldName specifies the sub-part of the credential to " |
|
"match against MatchFieldValue."), |
|
ModelCorrespondence { |
|
"CIM_CredentialFilterEntry.MatchFieldValue" } ] |
|
string MatchFieldName; |
|
|
|
[Description ( |
|
"MatchFieldValue specifies the value to compare with the " |
|
"MatchFieldName in a credential to determine if the " |
|
"credential matches this filter entry."), |
|
ModelCorrespondence { |
|
"CIM_CredentialFilterEntry.MatchFieldName" } ] |
|
string MatchFieldValue; |
|
|
|
[Description ( |
|
"CredentialType is an enumerated 16-bit unsigned integer that " |
|
"is used to specify the particular type of credential that is " |
|
"being matched. " ), |
|
ValueMap { "1", "2" }, |
|
Values { "X.509 Certificate", "Kerberos Ticket" } ] |
|
uint16 CredentialType; |
|
}; |
|
|
|
// ================================================================== |
|
// IPSOFilterEntry |
|
// ================================================================== |
|
[Description ( |
|
"An IPSOFilterEntry is used to match traffic based on the " |
|
"IP Security Options header values (ClassificationLevel " |
|
"and ProtectionAuthority) as defined in RFC1108. This type " |
|
"of FilterEntry is used to adjust the IPsec encryption level " |
|
"according to the IPSO classification of the traffic (e.g., " |
|
"secret, confidential, restricted, etc." ) ] |
|
|
|
class CIM_IPSOFilterEntry : CIM_FilterEntryBase |
|
{ |
|
[Description ( |
|
"MatchConditionType specifies whether to match based on " |
|
"traffic classification level or protection authority."), |
|
ValueMap { "1", "2"}, |
|
Values {"ClassificationLevel", "ProtectionAuthority" }, |
|
ModelCorrespondence { |
|
"CIM_IPSOFilterEntry.MatchConditionValue" } ] |
|
uint16 MatchConditionType; |
|
|
|
[Description ( |
|
"This is the value of the IPSO field type. For " |
|
"ClassificationLevel, the values are:\n" |
|
"61=TopSecret, 90=Secret, 150=Confidential, " |
|
"171=Unclassified.\n" |
|
"\n" |
|
"For ProtectionAuthority, the values are:\n" |
|
"0=GENSER, 1=SIOP-ESI, 2=SCI, 3=NSA, 4=DOE."), |
|
ModelCorrespondence { |
|
"CIM_IPSOFilterEntry.MatchConditionType" } ] |
|
uint16 MatchConditionValue; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerIDPayloadFilterEntry |
|
// ================================================================== |
|
[Description ( |
|
"PeerIDPayloadFilterEntry defines filters used to match ID " |
|
"payload values from the IKE protocol exchange." ) ] |
|
|
|
class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase |
|
{ |
|
[Description ( |
|
"MatchIdentityType specifies the type of indentity provided " |
|
"by the peer in the ID payload." ), |
|
ValueMap |
|
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, |
|
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", |
|
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", |
|
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, |
|
ModelCorrespondence { |
|
"CIM_PeerIDPayloadFilterEntry.MatchIdentityValue" } ] |
|
uint16 MatchIdentityType; |
|
|
|
[Description ( |
|
"MatchIdentityValue is the filter value for comparison with " |
|
"the ID payload, e,g, \"*@company.com\". The syntax may need " |
|
"to be converted for comparison. For example, if the type " |
|
"of identity is a distinguished name, \"DER_ASN1_DN,\" the " |
|
"MatchIdentityValue is represented by a DN string value " |
|
"and this value must be converted into a DER-encoded string " |
|
"before it can be matched against the values extracted from " |
|
"IKE ID payloads at runtime (or vice-versa). " ), |
|
ModelCorrespondence { |
|
"CIM_PeerIDPayloadFilterEntry.MatchIdentityType" } ] |
|
string MatchIdentityValue; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// IPsecPolicyGroup |
|
// ================================================================== |
|
[Description ( |
|
"IPsecPolicyGroup aggregates the set of rules of an IPsec " |
|
"policy. These groups are weak to a System via the " |
|
"PolicyGroupInSystem association. \n\n" |
|
"The IPsecPolicyForSystem and IPsecPolicyForEndpoint " |
|
"associations are used to specify the System and/or " |
|
"IPProtocolEndpoints to which an IPsecPolicyGroup applies. " |
|
"(Examples of a System and an IPProtocolEndpoint are a router " |
|
"and a router interface, respectively.)\n\n" |
|
"The RuleForIKENegotiation aggregates the phase 1 IKE " |
|
"negotiation rules that are part of the group; the " |
|
"RuleForIPsecNegotiation aggregates the phase 2 IKE " |
|
"negotiation rules. \n\n" |
|
"The PolicySetComponent aggregation is used to define a " |
|
"nested group of IPsec policy groups, with each policy group " |
|
"containing one or more rules.\n\n" |
|
"Any nested groups of rules are prioritized with respect to " |
|
"one another and the aggregated rules are evaluated using a " |
|
"'first match' decision strategy, i.e., when evaluating the " |
|
"list of IKE rules, they are evaluated in priority order " |
|
"until a match is found and when evaluating the list of " |
|
"IPsec rules, they are evaluated in priority order until a " |
|
"match is found." ) ] |
|
|
|
class CIM_IPsecPolicyGroup: CIM_PolicyGroup |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// SARule |
|
// ================================================================== |
|
[Description ( |
|
"SARule is a base class for defining IKE and IPsec Rules. " |
|
"Although concrete, it is not intended to be instantiated. " |
|
"It defines a common anchor point for defining associations " |
|
"and aggregations to conditions, actions, and security " |
|
"associations (SAs) for both types of rules. Each valid " |
|
"IPsecPolicyGroup must contain SARules that each have a " |
|
"unique associated priority number in " |
|
"PolicySetComponent.Priority. " ) ] |
|
|
|
class CIM_SARule: CIM_PolicyRule |
|
{ |
|
[Description ( |
|
"LimitNegotiation is used as part of processing either an " |
|
"IKE or an IPsec rule. Before proceeding with either a " |
|
"phase 1 or a phase 2 negotiation, this property " |
|
"is checked to determine if the negotiation role of the rule " |
|
"matches that defined for the negotiation being undertaken " |
|
"(e.g., Initiator, Responder, or Both). If this check fails, " |
|
"then the IKE negotiation is stopped. Note that this only " |
|
"applies to new IKE negotiations and has no effect on either " |
|
"renegotiation or refresh operations with peers for which " |
|
"an established SA already exists. " ), |
|
ValueMap { "1", "2", "3" }, |
|
Values { "Initiator-only", "Responder-Only", "Either"} ] |
|
uint16 LimitNegotiation; |
|
[Override("ExecutionStrategy"), Description ( |
|
"ExecutionStrategy defines the strategy to be used in " |
|
"executing the sequenced actions aggregated by this " |
|
"PolicyRule.\n" |
|
"\n" |
|
"In SARule, ExecutionStrategy MUST be set to 'Do All'. " |
|
"SAActionInRule.FallbackAction is used to control the " |
|
"fallback behavior."), |
|
Values {"2"}, ValueMap {"Do All"}] |
|
uint16 ExecutionStrategy; |
|
}; |
|
|
|
// ================================================================== |
|
// IKERule |
|
// ================================================================== |
|
[Description ( |
|
"IKERule contains the Conditions and Actions for IKE phase 1 " |
|
"negotiations or to specify static actions such as Discard. " |
|
"The conditions and actions are contained in one or more " |
|
"IPsecPolicyGroup classes. ") ] |
|
|
|
class CIM_IKERule : CIM_SARule |
|
{ |
|
[Description ( |
|
"IdentityContexts is a string array that corresponds to an " |
|
"ANDed list of values. If multiple strings exist, then they " |
|
"are to be logically ORed with each other. This property is " |
|
"used to establish a phase 1 IKE SA by using this property " |
|
"in conjunction with the UseIKEIdentityType property in the " |
|
"corresponding IKEAction. These two properties are then " |
|
"used to find an appropriate IKEIdentity object for use on " |
|
"the protected IPProtocolEndpoint." ), |
|
ModelCorrespondence { "CIM_IKEIdentity.IdentityContexts" } ] |
|
string IdentityContexts []; |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecRule |
|
// ================================================================== |
|
[Description ( |
|
"IPsecRule contains the Conditions and Actions for phase 2 " |
|
"negotiations or to specify static actions such as Discard. " |
|
"The conditions and actions are contained in one or more " |
|
"IPsecPolicyGroup classes. " ) ] |
|
|
|
class CIM_IPsecRule : CIM_SARule |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// SAAction |
|
// ================================================================== |
|
[Description ( |
|
"SAAction is the base class for the various types of IKE or " |
|
"IPsec actions and, although concrete, it is not intended to " |
|
"be instantiated. It is used for aggregating different " |
|
"types of actions to IKE and IPsec rules. " ) ] |
|
|
|
class CIM_SAAction : CIM_PolicyAction |
|
{ |
|
[Description ( |
|
"DoActionLogging causes a log message to be generated when " |
|
"the action is performed. " ) ] |
|
boolean DoActionLogging; |
|
|
|
[Description ( |
|
"DoPacketLogging causes a log message to be generated when " |
|
"the action is applied to a packet. " ) ] |
|
boolean DoPacketLogging; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// SAStaticAction |
|
// ================================================================== |
|
[Description ( |
|
"SAStaticAction is the base class for both IKE as well as " |
|
"IPsec actions that require no negotiation. Although this " |
|
"class is concrete, it is not intended to be instantiated. " ) ] |
|
|
|
class CIM_SAStaticAction : CIM_SAAction |
|
{ |
|
[Description ( |
|
"LifetimeSeconds specifies how long the SA derived from this " |
|
"action should be used. A value of 0 means infinite " |
|
"lifetime. A non-zero value is typically used when the " |
|
"negotiation fails. " ), |
|
Units ("Seconds") ] |
|
uint32 LifetimeSeconds; |
|
}; |
|
|
|
// ================================================================== |
|
// PreconfiguredSAAction |
|
// ================================================================== |
|
[Description ( |
|
"Subclasses of PreconfiguredSAAction is used to create SAs " |
|
"using preconfigured, hard-wired algorithms and keys. No " |
|
"negotiation is necessary. Note that the SPI for a " |
|
"preconfigured SA action is contained in the association, " |
|
"TransformOfPreconfiguredAction. " ) ] |
|
|
|
class CIM_PreconfiguredSAAction : CIM_SAStaticAction |
|
{ |
|
[Description ( |
|
"ProtocolType defines the type of protocol being used by " |
|
"this static action. " ) ] |
|
string ProtocolType; |
|
|
|
[Description ( |
|
"LifetimeKilobytes defines a traffic limit in kilobytes " |
|
"that can be consumed before the SA is deleted. " ) ] |
|
uint32 LifetimeKilobytes; |
|
}; |
|
|
|
// ================================================================== |
|
// PreconfiguredTransportAction |
|
// ================================================================== |
|
[Description ( |
|
"PreconfiguredTransportAction is used to create Transport " |
|
"SAs using preconfigured, hard-wired algorithms and keys. No " |
|
"negotiation is necessary. Note that the SPI for a " |
|
"preconfigured SA action is contained in the association, " |
|
"TransformOfPreconfiguredAction. " ) ] |
|
|
|
class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// PreconfiguredTunnelAction |
|
// ================================================================== |
|
[Description ( |
|
"PreconfiguredTunnelAction is used to create Tunnel SAs " |
|
"using preconfigured, hard-wired algorithms and keys. No " |
|
"negotiation is necessary. Note that the SPI for a " |
|
"preconfigured SA action is contained in the association, " |
|
"TransformOfPreconfiguredAction. The PeerGateway address " |
|
"information is provided when the tunnel peer is a security " |
|
"gateway." ) ] |
|
|
|
class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction |
|
{ |
|
[Description ( |
|
"DFHandling controls how the Don't Fragment bit " |
|
"is managed by the tunnel. " ), |
|
ValueMap {"1", "2", "3"}, |
|
Values {"Copy", "Set", "Clear"}] |
|
uint16 DFHandling; |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecBypassAction |
|
// ================================================================== |
|
[Description ( |
|
"IPsecBypassAction is used to cause access to be permitted " |
|
"without invoking the use of IPsec. Packets are forwarded " |
|
"in the clear. " ) ] |
|
|
|
class CIM_IPsecBypassAction : CIM_SAStaticAction |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecDiscardAction |
|
// ================================================================== |
|
[Description ( |
|
"IPsecDiscardAction is used to cause access to be denied. " |
|
"That is, packets are simply discarded. " ) ] |
|
|
|
class CIM_IPsecDiscardAction : CIM_SAStaticAction |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// IKERejectAction |
|
// ================================================================== |
|
[Description ("IKERejectAction is used to cause an IKE " |
|
"negotiation to be terminated. For example, it can be used " |
|
"in conjunction with an address filter on UDP port 500 to " |
|
"reduce DoS vulnerability or it can be used on a low priority " |
|
"rule to explicitly define the default action for IKE " |
|
"negotiations.")] |
|
|
|
class CIM_IKERejectAction : CIM_SAStaticAction |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// SANegotiationAction |
|
// ================================================================== |
|
[Description ( |
|
"SANegotiationAction is the base class for negotiated SAs " |
|
"and, although concrete, is not intended to be instantiated. " |
|
"It specifies the common parameters that control the IKE " |
|
"phase 1 and phase 2 key exchange negotiations. " ) ] |
|
|
|
class CIM_SANegotiationAction : CIM_SAAction |
|
{ |
|
[Description ( |
|
"MinLifetimeSeconds prevents certain denial of service " |
|
"attacks based on very short SA lifetimes. "), |
|
Units("Seconds")] |
|
uint32 MinLifetimeSeconds; |
|
|
|
[Description ( |
|
"RefreshThresholdSeconds is the lifetime percentage at which " |
|
"IKE should automatically attempt to acquire a new SA before " |
|
"an existing SA expires. A random period may be added to a " |
|
"calculated threshold to reduce network thrashing. " ) ] |
|
uint8 RefreshThresholdSeconds; |
|
|
|
[Description ( |
|
"IdleDurationSeconds is the time an SA can remain idle " |
|
"before it is automatically deleted. The default (zero) " |
|
"value indicates that there is no idle duration timer " |
|
"and that the SA is deleted based upon the SA lifetime."), |
|
Units("Seconds") ] |
|
uint32 IdleDurationSeconds; |
|
|
|
[Description ( |
|
"MinLifetimeKilobytes prevents certain denial of service " |
|
"attacks based on very short SA lifetimes.")] |
|
uint32 MinLifetimeKilobytes; |
|
|
|
[Description ( |
|
"RefreshThresholdKilobytes is the percentage of the SA" |
|
"kilobyte limit remaining before the SA is refreshed. " |
|
"A random value may be added to a calculated threshold " |
|
"to reduce network thrashing. " ) ] |
|
uint8 RefreshThresholdKilobytes; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEAction |
|
// ================================================================== |
|
[Description ( |
|
"IKEAction specifies the parameters to use for an IKE " |
|
"phase 1 negotiation. " ) ] |
|
|
|
class CIM_IKEAction : CIM_SANegotiationAction |
|
{ |
|
[Description ( |
|
"RefreshThresholdDerivedKeys is the percentage of the " |
|
"derived key limit remaining before the IKE phase 1 " |
|
"SA is renegotiated. The default value (zero) means there " |
|
"is no limit. " ) ] |
|
uint8 RefreshThresholdDerivedKeys; |
|
|
|
[Description ( |
|
"The ExchangeMode designates the mode IKE should use for " |
|
"its key negotiations. " ), |
|
ValueMap {"1", "2", "4"}, |
|
Values {"Base", "Main", "Aggressive" } ] |
|
uint16 ExchangeMode; |
|
|
|
[Description ( |
|
"UseIkeIdentityType is used in conjunction with the available " |
|
"IKEIdentity instances for the IPProtocolEndpoint. " |
|
"UseIKEIdentityType designates the type of IKE Identity to " |
|
"use in sending an IKE message."), |
|
ValueMap |
|
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, |
|
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", |
|
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", |
|
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, |
|
ModelCorrespondence { |
|
"CIM_IKEIdentity.IdentityType" } ] |
|
uint16 UseIKEIdentityType; |
|
|
|
[Description ("The VendorID property is used to identify " |
|
"vendor-defined key exchange GroupIDs."), |
|
ModelCorrespondence {"CIM_IKEAction.AggressiveModeGroupID"}] |
|
string VendorID; |
|
|
|
[Description ( |
|
"When IKEAction.ExchangeMode is set to \"Aggressive\", " |
|
"this property specifies the key exchange groupID to use " |
|
"in a proposal. If the GroupID number is from the vendor-" |
|
"specific range (32768-65535), the VendorID qualifies the " |
|
"group number. Well-known group identifiers from RFC2412 " |
|
"are: 0='Not Applicable', 1='DH768', 2='DH1024', " |
|
"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"), |
|
ModelCorrespondence {"CIM_IKEAction.VendorID"}] |
|
uint16 AggressiveModeGroupID; |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecAction |
|
// ================================================================== |
|
[Description ( |
|
"IPsecAction specifies the parameters to use for an IKE " |
|
"phase 2 negotiation. " ) ] |
|
|
|
class CIM_IPsecAction : CIM_SANegotiationAction |
|
{ |
|
[Description ( |
|
"UsePFS indicates whether perfect forward secrecy " |
|
"is required when refreshing keys.")] |
|
boolean UsePFS; |
|
|
|
[Description ("The VendorID property is used to identify " |
|
"vendor-defined key exchange GroupIDs."), |
|
ModelCorrespondence {"CIM_IPsecAction.GroupId"}] |
|
string VendorID; |
|
|
|
[Description ( |
|
"GroupId specifies the PFS group ID to use. This value is " |
|
"only used if PFS is True and UseIKEGroup is False. " |
|
"If the GroupID number is from the vendor-specific range " |
|
"(32768-65535), the VendorID qualifies the group number. " |
|
"Well-known group identifiers from RFC2412 are:\n" |
|
" 0='Not Applicable', 1='DH768', 2='DH1024', " |
|
"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"), |
|
ModelCorrespondence {"CIM_IPsecAction.VendorID"}] |
|
uint16 GroupId; |
|
|
|
[Description ( |
|
"UseIKEGroup indicates that the phase 2 GroupId should be " |
|
"the same as that used in the phase 1 protecting this phase " |
|
"2 exchange. IF PFS is False, UseIKEGroup is ignored. " ) ] |
|
boolean UseIKEGroup; |
|
|
|
[Description ( |
|
"Granularity controls whether proposed selectors for an " |
|
"SA should be:\n" |
|
"- the subnet mask (Subnet)\n" |
|
"- the IP address (Address)\n" |
|
"- the IP address & the IP protocol (Protocol)\n" |
|
"- the IP address, the IP protocol & the layer 4 port (Port) " |
|
"\n" |
|
"as derived from the traffic that triggered the FilterList " |
|
"of the Condition(s) that matched the rule."), |
|
ValueMap {"1", "2", "3", "4"}, |
|
Values {"Subnet", "Address", "Protocol", "Port"}] |
|
uint16 Granularity; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// IPsecTransportAction |
|
// ================================================================== |
|
[Description ( |
|
"IPsecTransportAction is used to specify transport " |
|
"encapsulation mode. " ) ] |
|
|
|
class CIM_IPsecTransportAction : CIM_IPsecAction |
|
{ |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// IPsecTunnelAction |
|
// ================================================================== |
|
[Description ( |
|
"IPsecTunnelAction is used to specify tunnel " |
|
"encapsulation mode. " ) ] |
|
|
|
class CIM_IPsecTunnelAction : CIM_IPsecAction |
|
{ |
|
[Description ( |
|
"DFHandling controls how the Don't Fragment bit " |
|
"is managed by the tunnel. " ), |
|
ValueMap {"1", "2", "3"}, |
|
Values {"Copy", "Set", "Clear"}] |
|
uint16 DFHandling; |
|
}; |
|
|
|
// ================================================================== |
|
// SATransform |
|
// ================================================================== |
|
[Abstract, Description ( |
|
"SATransform is the base class for the various types of " |
|
"transforms aggregated into phase 2 proposals. Note that " |
|
"it is weak to its containing System." ) ] |
|
|
|
class CIM_SATransform : CIM_Policy |
|
{ |
|
[Propagated ("CIM_System.CreationClassName"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping System's CreationClassName.") ] |
|
string SystemCreationClassName; |
|
|
|
[Propagated ("CIM_System.Name"), Key, MaxLen (256), |
|
Description ( |
|
"The scoping System's Name.") ] |
|
string SystemName; |
|
|
|
[Key, MaxLen (256), Description ( |
|
"CreationClassName indicates the name of the class or " |
|
"the subclass used in the creation of an instance. When " |
|
"used with the other key properties of this class, this " |
|
"property allows all instances of this class and its " |
|
"subclasses to be uniquely identified. " ) ] |
|
string CreationClassName; |
|
|
|
[Override ("CommonName"), Key, MaxLen (256), Description ( |
|
"The Name property provides a user-friendly unique " |
|
"name for this SATransform. " ) ] |
|
string CommonName; |
|
|
|
[Description ( |
|
"MaxLifetimeSeconds specifies the maximum time the " |
|
"IKE message sender proposes for an SA to be considered " |
|
"valid after it has been created."), |
|
Units ("Seconds") ] |
|
uint32 MaxLifetimeSeconds; |
|
|
|
[Description ( |
|
"MaxLifetimeKilobytes specifies the maximum kilobyte " |
|
"lifetime the IKE message sender proposes for an SA to " |
|
"be considered valid after it has been created. Each " |
|
"proposal may use a different lifetime based upon the " |
|
"strength of the encryption algorithm. " ) ] |
|
uint32 MaxLifetimeKilobytes; |
|
|
|
[Description ( |
|
"The VendorID property is used to identify " |
|
"vendor-defined transforms.") ] |
|
string VendorID; |
|
}; |
|
|
|
// ================================================================== |
|
// AHTransform |
|
// ================================================================== |
|
[Description ( |
|
"AHTransform defines the parameters used for phase 2 " |
|
"negotiation of an AH SA. " ) ] |
|
|
|
class CIM_AHTransform : CIM_SATransform |
|
{ |
|
[Description ( |
|
"AHTransformId is an enumeration that specifies the " |
|
"hash algorithm to be used. " ), |
|
ValueMap {"2", "3", "4"}, |
|
Values {"MD5", "SHA-1", "DES"} ] |
|
uint16 AHTransformId; |
|
|
|
[Description ( |
|
"UseReplayPrevention causes the local peer to compute the " |
|
"next sequence number when sending a packet or to check the " |
|
"sequence number when receiving a packet. " ) ] |
|
boolean UseReplayPrevention; |
|
|
|
[Description ( |
|
"ReplayPreventionWindowsSizw specifies, in bits, the length " |
|
"of the sliding window used by the replay prevention " |
|
"mechanism. The value of this property is meaningless if " |
|
"UseReplayPrevention is false. It is assumed that the window " |
|
"size will be power of 2.")] |
|
uint32 ReplayPreventionWindowSize; |
|
}; |
|
|
|
// ================================================================== |
|
// ESPTransform |
|
// ================================================================== |
|
[Description ( |
|
"ESPTransform defines the parameters used for phase 2 " |
|
"negotiation of an ESP SA. " ) ] |
|
|
|
class CIM_ESPTransform : CIM_SATransform |
|
{ |
|
[Description ( |
|
"IntegrityTransformId is an enumeration that specifies " |
|
"the ESP integrity algorithm for the proposal. " ), |
|
ValueMap {"0", "1", "2", "3", "4"}, |
|
Values {"None", "MD5", "SHA-1", "DES", "KPDK"} ] |
|
uint16 IntegrityTransformId; |
|
|
|
[Description ( |
|
"CipherTransformId is an enumeration that specifies the " |
|
"ESP encryption algorithm for the proposal. " ), |
|
ValueMap |
|
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, |
|
Values {"DES_IV64", "DES", "3DES", "RC5", "IDEA", "CAST", |
|
"Blowfish", "3-IDEA", "DES_IV32", "RC4", "NULL" }] |
|
uint16 CipherTransformId; |
|
|
|
[Description ( |
|
"CipherKeyLength specifies, in bits, the key length for " |
|
"the encryption algorithm. For algorithms with fixed " |
|
"key lengths, this value is ignored.")] |
|
uint16 CipherKeyLength; |
|
|
|
[Description ( |
|
"CipherKeyRounds specifies the key rounds for the " |
|
"encryption algorithm. Currently, key rounds are not " |
|
"defined for any IPsec encryption algorithms. " ) ] |
|
uint16 CipherKeyRounds; |
|
|
|
[Description ( |
|
"UseReplayPrevention causes the local peer to compute the " |
|
"next sequence number when sending a packet or to check the " |
|
"sequence number when receiving a packet. " ) ] |
|
boolean UseReplayPrevention; |
|
|
|
[Description ( |
|
"ReplayPreventionWindowsSizw specifies, in bits, the length " |
|
"of the sliding window used by the replay prevention " |
|
"mechanism. The value of this property is meaningless if " |
|
"UseReplayPrevention is false. It is assumed that the window " |
|
"size will be power of 2.")] |
|
uint32 ReplayPreventionWindowSize; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// IPCOMPTransform |
|
// ================================================================== |
|
[Description ( |
|
"IPCOMPTransform specifies the compression algorithm " |
|
"to use. " ) ] |
|
|
|
class CIM_IPCOMPTransform : CIM_SATransform |
|
{ |
|
[Description ( |
|
"The Algorithm is an enumeration that designates the " |
|
"IPCOMP compression algorithm to use. OUI designates a " |
|
"vendor-specific algorithm."), |
|
ValueMap {"1", "2", "3", "4"}, |
|
Values {"OUI", "DEFLATE", "LZS", "V42BIS"}] |
|
uint16 Algorithm; |
|
|
|
[Description ( |
|
"DictionarySize is an optional field that specifies the " |
|
"log2 maximum size of the dictionary. " ) ] |
|
uint16 DictionarySize; |
|
|
|
[Description ( |
|
"Private compression algorithm, used when TransformId " |
|
"is OUI. " ) ] |
|
uint32 PrivateAlgorithm; |
|
}; |
|
|
|
// ================================================================== |
|
// SAProposal |
|
// ================================================================== |
|
[Abstract, Description ( |
|
"SAProposal is a base class defining the common " |
|
"properties of and anchoring common associations " |
|
"for IKE phase 1 and phase 2 (IPsec) proposals.") ] |
|
|
|
class CIM_SAProposal : CIM_Policy |
|
{ |
|
[Propagated ("CIM_System.CreationClassName"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping System's CreationClassName.") ] |
|
string SystemCreationClassName; |
|
|
|
[Propagated ("CIM_System.Name"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping System's Name.") ] |
|
string SystemName; |
|
|
|
[Key, MaxLen (256), Description ( |
|
"CreationClassName indicates the name of the class " |
|
"or the subclass used in the creation of an " |
|
"instance. When used with the other key properties of " |
|
"this class, this property allows all instances of this " |
|
"class and its subclasses to be uniquely identified.") ] |
|
string CreationClassName; |
|
|
|
[Key, MaxLen (256), Description ( |
|
"The Name property uniquely identifies the " |
|
"CIM_SAProposal.") ] |
|
string Name; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEProposal |
|
// ================================================================== |
|
[Description ("IKEProposal contains the parameters necessary " |
|
"to drive the phase 1 IKE negotiation.") ] |
|
|
|
class CIM_IKEProposal : CIM_SAProposal |
|
{ |
|
[Description ("LifetimeDerivedKeys specifies the number of " |
|
"times a phase 1 key will be used to derive a phase 2 " |
|
"(IPsec) key. A value of 0 indicates that there is no limit " |
|
"to the number of phase 2 keys that can be derived from the " |
|
"phase 1 key.") ] |
|
uint32 LifetimeDerivedKeys ; |
|
|
|
[Description ("CipherAlgorithm is an enumeration that " |
|
"specifies the proposed encryption algorithm."), |
|
ValueMap { "1", "2", "3", "4", "5", "6" }, |
|
Values { "DES", "IDEA", "Blowfish", "RC5", "3DES", |
|
"CAST"}] |
|
uint16 CipherAlgorithm; |
|
|
|
[Description ("HashAlgorithm is an enumeration that specifies " |
|
"the proposed hash function."), |
|
ValueMap {"1", "2", "3"}, |
|
Values {"MD5", "SHA-1", "Tiger"}] |
|
uint16 HashAlgorithm; |
|
|
|
[Description ("PRFAlgorithm specifies the pseudo-random " |
|
"function IKE should use. Currently, no such functions are " |
|
"defined.")] |
|
uint16 PRFAlgorithm; |
|
|
|
[Description ("The VendorID property is used to identify " |
|
"vendor-defined key exchange GroupIDs."), |
|
ModelCorrespondence {"CIM_IKEProposal.GroupId"}] |
|
string VendorID; |
|
|
|
[Description ("When IKEAction.ExchangeMode is set to " |
|
"\"Base\" or to \"Main,\" the GroupId specifies the key " |
|
"exchange group ID to use in a proposal, otherwise, " |
|
"GroupId is set to 0, \"Not Applicable,\" and ignored. " |
|
"If the GroupID number is from the vendor-specific range " |
|
"(32768-65535), the VendorID qualifies the group number. " |
|
"Well-known group identifiers from RFC2412 are:\n" |
|
" 0='Not Applicable', 1='DH768', 2='DH1024', " |
|
"3='ECC2N155', 4='ECC2N185', and 5='DH1536'"), |
|
ModelCorrespondence {"CIM_IKEProposal.VendorID"}] |
|
uint16 GroupId; |
|
|
|
[Description ("AuthenticationMethod is an enumeration that " |
|
"specifies the authentication method to use for the " |
|
"proposal. If the value 0 (Any) is used, then the proposal " |
|
"should be multiplied in the IKE proposal list by as many " |
|
"authentication methods as correspond to credentials on the " |
|
"system (e.g., if the system has a preshared key and a " |
|
"certificate, then the proposal will be repeated twice -- " |
|
"once for each method)."), |
|
ValueMap { "0", "1", "2", "3", "4", "5", "6" }, |
|
Values {"Any", "Preshared", "DSS_Signatures", |
|
"RSA_Signatures", "RSA_Encryption", "Revised_RSA_Encryption", |
|
"Kerberos" } ] |
|
uint16 AuthenticationMethod; |
|
|
|
[Description ("MaxLifetimeSeconds specifies the maximum time " |
|
"the IKE message sender proposes for an SA to be considered " |
|
"valid after it has been created."), Units("Seconds") ] |
|
uint32 MaxLifetimeSeconds; |
|
|
|
[Description ("MaxLifetimeKilobytes specifies the maximum " |
|
"kilobyte lifetime the IKE message sender proposes for an SA " |
|
"to be considered valid after it has been created. Each " |
|
"proposal may use a different lifetime based upon the " |
|
"strength of the encryption algorithm.") ] |
|
uint32 MaxLifetimeKilobytes; |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecProposal |
|
// ================================================================== |
|
[Description ("IPsecProposal aggregates the transform list " |
|
"that specify the phase 2 negotiation proposals for " |
|
"transform parameters.") ] |
|
|
|
class CIM_IPsecProposal : CIM_SAProposal |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// IKEService |
|
// ================================================================== |
|
[Description ( |
|
"Derived from NetworkService, IKEService represents the " |
|
"functions performed during IKE phase 1 and phase 2 " |
|
"negotiations. An IKEService instance provides services " |
|
"for IPProtocolEndpoints on a System.") ] |
|
|
|
class CIM_IKEService: CIM_NetworkService |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// PeerGateway |
|
// ================================================================== |
|
[Description ("PeerGateway identifies a security gateway with " |
|
"which an IKE Service negotiates.") ] |
|
|
|
class CIM_PeerGateway: CIM_LogicalElement |
|
{ |
|
[Propagated ("CIM_System.CreationClassName"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping System's CreationClassName. ") ] |
|
string SystemCreationClassName; |
|
|
|
[Propagated ("CIM_System.Name"), Key, MaxLen (256), |
|
Description ("The scoping System's Name.") ] |
|
string SystemName; |
|
|
|
[Key, MaxLen (256), Description ( |
|
"CreationClassName indicates the name of the class or the " |
|
"subclass used in the creation of an instance. When used " |
|
"with the other key properties of this class, this property " |
|
"allows all instances of this class and its subclasses to " |
|
"be uniquely identified." ) ] |
|
string CreationClassName; |
|
|
|
[Override ("Name"), Key, MaxLen (256), |
|
Description ( |
|
"The Name property uniquely identifies the PeerGateway " |
|
"instance.") ] |
|
string Name; |
|
|
|
[Description ("The PeerIdentityType specifies the type of the " |
|
"Peer's IKE Identity."), |
|
ValueMap |
|
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, |
|
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", |
|
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", |
|
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, |
|
ModelCorrespondence {"CIM_PeerGateway.PeerIdentity"}] |
|
uint16 PeerIdentityType; |
|
|
|
[Description ("PeerIdentity contains a string encoding of the " |
|
"Identity payload for the security gateway."), |
|
ModelCorrespondence {"CIM_PeerGateway.PeerIdentityType"}] |
|
string PeerIdentity; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerIdentityTable |
|
// ================================================================== |
|
[Description ("PeerIdentityTable aggregates table entries " |
|
"that provide mappings between identities and their " |
|
"addresses.") ] |
|
|
|
class CIM_PeerIdentityTable: CIM_Collection |
|
{ |
|
[Propagated ("CIM_System.CreationClassName"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping System's CreationClassName. ") ] |
|
string SystemCreationClassName; |
|
|
|
[Propagated ("CIM_System.Name"), Key, MaxLen (256), |
|
Description ("The scoping System's Name.") ] |
|
string SystemName; |
|
|
|
[Key, MaxLen (256), Description ( |
|
"CreationClassName indicates the name of the class or the " |
|
"subclass used in the creation of an instance. When used " |
|
"with the other key properties of this class, this property " |
|
"allows all instances of this class and its subclasses to " |
|
"be uniquely identified." ) ] |
|
string CreationClassName; |
|
|
|
[Key, MaxLen (256), Description ("The Name property uniquely " |
|
"identifies the PeerIdentityTable." ) ] |
|
string Name; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerIdentityEntry |
|
// ================================================================== |
|
[Description ("A PeerIdentityEntry in a PeerIdentityTable " |
|
"provides the mappings between peer's addresses and " |
|
"identities." ) ] |
|
|
|
class CIM_PeerIdentityEntry: CIM_LogicalElement |
|
{ |
|
[Propagated ("CIM_PeerIdentityTable.SystemCreationClassName" ), |
|
Key, MaxLen (256), Description ( |
|
"The scoping System's CreationClassName. " ) ] |
|
string SystemCreationClassName; |
|
|
|
[Propagated ("CIM_PeerIdentityTable.SystemName"), Key, |
|
MaxLen (256), Description ("The scoping System's Name." ) ] |
|
string SystemName; |
|
|
|
[Propagated ("CIM_PeerIdentityTable.CreationClassName"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping PeerIdentityTable CreationClassName.") ] |
|
string TableCreationClassName; |
|
|
|
[Propagated ("CIM_PeerIdentityTable.Name"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping PeerIdentityTable Name." ) ] |
|
string TableName; |
|
|
|
[Key, MaxLen (256), Description ( |
|
"CreationClassName indicates the name of the class or the " |
|
"subclass used in the creation of an instance. When used " |
|
"with the other key properties of this class, this property " |
|
"allows all instances of this class and its subclasses to " |
|
"be uniquely identified.") ] |
|
string CreationClassName; |
|
|
|
[Key, Description ("The PeerIdentityType specifies the type " |
|
"of the Peer's IKE Identity."), |
|
ValueMap |
|
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, |
|
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", |
|
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", |
|
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, |
|
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentity"}] |
|
uint16 PeerIdentityType; |
|
|
|
[Key, Description ("PeerIdentity contains a string encoding " |
|
"of the Identity payload for the peer."), |
|
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentityType"}] |
|
string PeerIdentity; |
|
|
|
[Key, Description ( |
|
"An enumeration that describes the format of the PeerAddress " |
|
"property. Addresses that can be formatted in IPv4 format, " |
|
"must be formatted that way to ensure mixed IPv4/IPv6 " |
|
"support."), |
|
ValueMap { "0", "1", "2" }, |
|
Values { "Unknown", "IPv4", "IPv6" }, |
|
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddress"}] |
|
uint16 PeerAddressType; |
|
|
|
[Key, Description ( |
|
"The string representation of the IP address of the peer " |
|
"formatted according to the appropriate convention as " |
|
"defined in the PeerAddressType property of this class " |
|
"(e.g., 171.79.6.40)."), |
|
ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddressType"}] |
|
string PeerAddress; |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecProtectionSuite |
|
// ================================================================== |
|
[Description ("IPsecProtectionSuite represents the collection " |
|
"of SAs negotiated as a set by IKE. A protection suite may " |
|
"consist of up to 6 individual SAs (incoming and outgoing " |
|
"SAs for AH, ESP, and IPCOMP)") ] |
|
|
|
class CIM_IPsecProtectionSuite : CIM_Collection |
|
{ |
|
[Key, MaxLen (256), Description ( |
|
"CreationClassName indicates the name of the class or the " |
|
"subclass used in the creation of an instance. When used " |
|
"with the other key properties of this class, this property " |
|
"allows all instances of this class and its subclasses to " |
|
"be uniquely identified.") ] |
|
|
|
string CreationClassName; |
|
[Key, MaxLen (256), Description ( |
|
"The Name property uniquely identifies the Service and " |
|
"provides an indication of the functionality that is " |
|
"managed. This functionality is described in more detail in " |
|
"the object's Description property. ") ] |
|
string Name; |
|
|
|
[Propagated ("CIM_IPProtocolEndpoint.SystemCreationClassName"), |
|
Key, MaxLen (256), Description ( |
|
"The scoping System's CreationClassName. ") ] |
|
string SystemCreationClassName; |
|
|
|
[Propagated ("CIM_IPProtocolEndpoint.SystemName"), Key, |
|
MaxLen (256), Description ("The scoping System's Name.") ] |
|
string SystemName; |
|
|
|
[Propagated ("CIM_IPProtocolEndpoint.CreationClassName"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping IPProtocolEndpoint's CreationClassName. ") ] |
|
string SAPCreationClassName; |
|
|
|
[Propagated ("CIM_IPProtocolEndpoint.Name"), Key, |
|
MaxLen (256), Description ( |
|
"The scoping IPProtocolEndpoint's Name.") ] |
|
string SAPName; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEIdentity |
|
// ================================================================== |
|
[Description ("IKEIdentity is used to represent the " |
|
"identities that may be used for an IPProtocolEndpoint (or " |
|
"collection of IPProtocolEndpoints) to identify the " |
|
"IKEService in IKE phase 1 negotiations. The policy " |
|
"IKEAction.UseIKEIdentityType specifies which type of the " |
|
"available identities to use in a negotiation exchange and " |
|
"the IKERule.IdentityContexts specifies the match values to " |
|
"be used, along with the local address, in selecting the " |
|
"appropriate identity for a negotiation. The ElementID " |
|
"property value should be that of either the " |
|
"IPProtocolEndpoint or Collection of endpoints as " |
|
"appropriate.") ] |
|
|
|
class CIM_IKEIdentity : CIM_UsersAccess |
|
{ |
|
[Description ("The IdentityType specifies the type of IKE " |
|
"Identity."), |
|
ValueMap |
|
{"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, |
|
Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", |
|
"IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", |
|
"IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, |
|
ModelCorrespondence {"CIM_IKEAction.UseIKEIdentity", |
|
"CIM_IKEIdentity.IdentityValue"}] |
|
uint16 IdentityType; |
|
|
|
[Description ("IdentityValue contains a string encoding of " |
|
"the Identity payload. For IKEIdentity instances that are " |
|
"address types, the IdentityValue string value may be " |
|
"omitted and the associated IPProtocolEndpoint or " |
|
"appropriate member of the Collection of endpoints is used."), |
|
ModelCorrespondence {"CIM_IKEIdentity.IdentityType"}] |
|
string IdentityValue; |
|
|
|
[Description ( |
|
"The IdentityContexts property is used to constrain the use " |
|
"of IKEIdentity instances to match that specified in the " |
|
"IKERule.IdentityContexts. The IdentityContexts are " |
|
"formatted as policy roles and role combinations. Each " |
|
"value represents one context or context combination. Since " |
|
"this is a multi-valued property, more than one context or " |
|
"combination of contexts can be associated with a single " |
|
"IKEIdentity. Each value is a string of the form:\n" |
|
" <ContextName>[&&<ContextName>]*\n" |
|
"where the individual context names appear in alphabetical " |
|
"order (according to the collating sequence for UCS-2). " |
|
"If one or more values in the IKERule.IdentityContexts array " |
|
"match one or more IKEIdentity.IdentityContexts then the " |
|
"identity's context matches. (That is, each value of the " |
|
"IdentityContext array is an ORed condition.) In " |
|
"combination with the address of the IPProtocolEndpoint and " |
|
"IKEAction.UseIKEIdentityType, there should be 1 and only 1 " |
|
"IKEIdentity." ), |
|
ModelCorrespondence {"CIM_IKERule.IdentityContexts" } ] |
|
string IdentityContexts []; |
|
}; |
|
|
|
// ================================================================== |
|
// SecurityAssociation |
|
// ================================================================== |
|
[Description ("SecurityAssociation (SA) subclasses are used " |
|
"to represent the protocol endpoint of the secure connection " |
|
"established with the IKE/ISAKMP protocol. An SA is used for " |
|
"each direction of flow.") ] |
|
|
|
class CIM_SecurityAssociation : CIM_ProtocolEndpoint |
|
{ |
|
[Description ( |
|
"TimeOfCreation records when the SA was created")] |
|
datetime TimeOfCreation; |
|
|
|
[Description ("LifetimeSeconds specifies the maximum time SA " |
|
"will be considered valid after it has been created."), |
|
Units("Seconds") ] |
|
uint32 LifetimeSeconds; |
|
|
|
[Description ("RefreshThresholdSeconds is the lifetime " |
|
"percentage at which IKE should automatically attempt to " |
|
"acquire a new SA before the existing SA expires. A random " |
|
"period may be added to a calculated threshold to reduce " |
|
"network thrashing.")] |
|
uint8 RefreshThresholdSeconds; |
|
|
|
[Description ("LastAccessed enables deletion if SA is idle " |
|
"too long.")] |
|
datetime LastAccessed; |
|
|
|
[Description ("IdleDurationSeconds specifies how long the SA " |
|
"can be idle before it is deleted. The default value, 0, " |
|
"indicates that there is no idle time out period."), |
|
Units("Seconds")] |
|
uint32 IdleDurationSeconds; |
|
|
|
[Description ("How many bytes have been protected by this SA")] |
|
uint32 ByteCount; |
|
[Description ("LifetimeKilobytes specifies the maximum number " |
|
"of kilobytes of data traffic to be protected by the SA. It " |
|
"is deleted SA if LifetimeKilobyte value is exceeded.")] |
|
uint32 LifetimeKilobytes; |
|
|
|
[Description ("RefreshThresholdKilobytes is the ByteCount " |
|
"value, expressed as a percentage of the LifetimeKilobytes, " |
|
"at which IKE should begin to renegotiate a new SA. A " |
|
"random value may be added to the calculated threshold to " |
|
"reduce network thrashing.")] |
|
uint8 RefreshThresholdKilobytes; |
|
|
|
[Description ( |
|
"DoPacketLogging causes a log to be kept of traffic " |
|
"processed by the SA." )] |
|
boolean DoPacketLogging; |
|
}; |
|
|
|
// ================================================================== |
|
// IKESecurityAssociation |
|
// ================================================================== |
|
[Description ("IKESecurityAssociation is the SA used by IKE " |
|
"to protect key negotiation traffic.") ] |
|
|
|
class CIM_IKESecurityAssociation : CIM_SecurityAssociation |
|
{ |
|
[Description ("Identifier of the IKE phase 1 negotiation " |
|
"initiator. Combined with the ResponderCookie, this value," |
|
"in string form, may be used to construct the value of the " |
|
"key field 'Name'." ) ] |
|
uint64 InitiatorCookie; |
|
|
|
[Description ("Identifier of the IKE phase 1 negotiation " |
|
"responder. Combined with the InitiatorCookie, this value," |
|
"in string form, may be used to construct the value of the " |
|
"key field 'Name'." ) ] |
|
uint64 ResponderCookie; |
|
|
|
[Description ("How many phase 2 derived keys have been " |
|
"negotiated with this SA." ) ] |
|
uint32 DerivedKeyCount; |
|
|
|
[Description ("Delete SA if more than LiftetimeDerivedKeys " |
|
"phase 2 keys derived. A zero value indicates that there is" |
|
"no limit to the number of phase 2 derived keys." ) ] |
|
uint32 LifetimeDerivedKeys; |
|
|
|
[Description ("Percentage of LifetimeDerivedKeys at which " |
|
"SA should be refreshed." ) ] |
|
uint8 RefreshThresholdDerivedKeys; |
|
|
|
[Description ("CipherAlgorithm is an enumeration that " |
|
"specifies the proposed encryption algorithm."), |
|
ValueMap { "1", "2", "3", "4", "5", "6" }, |
|
Values |
|
{"DES", "IDEA", "Blowfish", "RC5", "3DES", "CAST"}] |
|
uint16 CipherAlgorithm; |
|
|
|
[Description ("HashAlgorithm is an enumeration that specifies " |
|
"the proposed hash function."), |
|
ValueMap {"1", "2", "3"}, |
|
Values {"MD5", "SHA-1", "Tiger" } ] |
|
uint16 HashAlgorithm; |
|
|
|
[Description ("GroupId specifies the key exchange group ID. " |
|
"If the GroupID number is from the vendor-specific range " |
|
"(32768-65535), the VendorID qualifies the group number. " |
|
"Well-known group identifiers from RFC2412 are:\n" |
|
"1='DH768', 2='DH1024', 3='ECC2N155', 4='ECC2N185', and " |
|
"5='DH1536'"), |
|
ModelCorrespondence {"CIM_IKESecurityAssociation.VendorID"}] |
|
uint16 GroupId; |
|
|
|
[Description ("VendorID identifies the vendor ID for " |
|
"vendor-defined algorithms."), |
|
ModelCorrespondence {"CIM_IKESecurityAssociation.GroupId"}] |
|
string VendorID; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// IPsecSecurityAssociation |
|
// ================================================================== |
|
[Description ("IPsecSecurityAssociation is used to represent " |
|
"both negotiated and static SAs that correspond to AH, ESP, " |
|
"or IPCOMP.") ] |
|
|
|
class CIM_IPsecSecurityAssociation : CIM_SecurityAssociation |
|
{ |
|
[Description ("SPI contains the Security Parameter Index of " |
|
"the SA. This value in string form may also be used in " |
|
"the key field 'Name' inherited from ServiceAccessPoint. ")] |
|
uint32 SPI; |
|
|
|
[Description ("EncapsulationMode indicates whether the " |
|
"security association is for a transport or tunnel " |
|
"encapsulation mode."), |
|
ValueMap {"1", "2"}, |
|
Values {"Tunnel", "Transport"}] |
|
uint16 EncapsulationMode; |
|
|
|
[Description ( |
|
"DFHandling controls how the Don't Fragment bit " |
|
"is managed by the tunnel. " ), |
|
ValueMap {"1", "2", "3"}, |
|
Values {"Copy", "Set", "Clear"}] |
|
uint16 DFHandling; |
|
}; |
|
|
|
// ================================================================== |
|
// DiscardSecurityAssociation |
|
// ================================================================== |
|
[Description ("DiscardSecurityAssociation is the SA type that " |
|
"causes packets to be dropped.") ] |
|
|
|
class CIM_DiscardSecurityAssociation: CIM_SecurityAssociation |
|
{ |
|
}; |
|
// ================================================================== |
|
// BypassSecurityAssociation |
|
// ================================================================== |
|
[Description ("BypassSecurityAssociation is the SA type that " |
|
"causes packets to be sent in the clear.") ] |
|
|
|
class CIM_BypassSecurityAssociation: CIM_SecurityAssociation |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// AutostartIKEConfiguration |
|
// ================================================================== |
|
[Description ("AutostartIKEConfiguration object allows the " |
|
"grouping of sets of AutostartIKESetting instances.") ] |
|
class CIM_AutostartIKEConfiguration : CIM_SystemConfiguration |
|
{ |
|
}; |
|
|
|
// ================================================================== |
|
// AutostartIKESetting |
|
// ================================================================== |
|
[Description ("AutostartIKESetting instances are used to " |
|
"automatically initiate IKE negotiations with peers (or " |
|
"statically create an SA) as specified in the " |
|
"AutostartIKESetting properties. Appropriate actions are " |
|
"initiated according to the policy that matches the setting " |
|
"parameters.") ] |
|
class CIM_AutostartIKESetting : CIM_SystemSetting |
|
{ |
|
[Description ( |
|
"Phase1Only is used to limit the IKE negotiation to just " |
|
"setting up a phase 1 security association. When set to " |
|
"False, both phase 1 and 2 negotiations are initiated.") ] |
|
boolean Phase1Only; |
|
[Description ( |
|
"An enumeration that describes the format of the source and " |
|
"destination address properties."), |
|
ValueMap { "0", "1", "2" }, |
|
Values { "Unknown", "IPv4", "IPv6" }, |
|
ModelCorrespondence {"CIM_AutostartIKESetting.SourceAddress", |
|
"CIM_AutostartIKESetting.DestinationAddress"}] |
|
uint16 AddressType; |
|
[Description ( |
|
"The dotted-decimal or colon-decimal formatted IP address " |
|
"used as the source address in comparing with policy " |
|
"filter entries and used in any phase 2 negotiations."), |
|
ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}] |
|
string SourceAddress; |
|
[Description ( |
|
"The port number used as the source port in comparing " |
|
"with policy filter entries and used in any phase " |
|
"2 negotiations.")] |
|
uint16 SourcePort; |
|
[Description ( |
|
"The dotted-decimal or colon-decimal formatted IP address " |
|
"used as the destination address in comparing with policy " |
|
"filter entries and used in any phase 2 negotiations."), |
|
ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}] |
|
string DestinationAddress; |
|
[Description ( |
|
"The port number used as the destination port in comparing " |
|
"with policy filter entries and used in any phase 2 " |
|
"negotiations.")] |
|
uint16 DestinationPort; |
|
[Description ( |
|
"The protocol number used in comparing with policy filter " |
|
"entries and used in any phase 2 negotiations.")] |
|
uint8 Protocol; |
|
}; |
|
|
|
|
|
///////////////////////////////////////////////////////////////////// |
|
//******************************************************************* |
|
// Associations |
|
//******************************************************************* |
|
///////////////////////////////////////////////////////////////////// |
|
|
|
// ================================================================== |
|
// SAConditionInRule |
|
// ================================================================== |
|
[ Association, Aggregation, Description ( |
|
"SAConditionInRule aggregates an SARule with the set of " |
|
"SACondition instances that trigger it.") ] |
|
|
|
class CIM_SAConditionInRule : CIM_PolicyConditionInPolicyRule |
|
{ |
|
[Aggregate, Override ("GroupComponent"), Description ( |
|
"An SARule subclass of PolicyRule." ) ] |
|
CIM_SARule REF GroupComponent; |
|
|
|
[Override ("PartComponent"), Min(1), Description ( |
|
"An SACondition subclass of PolicyCondition. " ) ] |
|
CIM_SACondition REF PartComponent; |
|
}; |
|
|
|
// ================================================================== |
|
// FilterOfSACondition |
|
// ================================================================== |
|
[ Association, Description ( |
|
"FilterOfSACondition associates a network traffic " |
|
"specification (FilterList) with a SARule's SACondition." ) ] |
|
|
|
class CIM_FilterOfSACondition : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min(1), Max(1), Description ( |
|
"A FilterList describes the traffic that will specify the " |
|
"traffic to be filtered that is part of the SACondition of " |
|
"a policy rule. " ) ] |
|
CIM_FilterList REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"This is the SACondition that uses this FilterList to form " |
|
"a policy rule. " ) ] |
|
CIM_SACondition REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// AcceptCredentialsFrom |
|
// ================================================================== |
|
[Association, Description ( |
|
"This is used to specify which credential management service " |
|
"(e.g., a CertificateAuthority or a Kerberos service) is to " |
|
"be trusted to certify peer credentials. This is used to " |
|
"validate that the credential being matched in the " |
|
"CredentialFilterEntry is a valid credential that has been " |
|
"supplied by an approved CredentialManagementService. " ) ] |
|
|
|
class CIM_AcceptCredentialsFrom : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), |
|
Description ("The CredentialManagementService that is issuing " |
|
"the credential to be used in the SACondition. " ) ] |
|
CIM_CredentialManagementService REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("SACondition that contains the credential. " ) ] |
|
CIM_SACondition REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// SAActionInRule |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"SAActionInRule aggregates SAActions into SARules In " |
|
"SAActionInRule, the combination of the ActionOrder value and " |
|
"the FallbackOrder value MUST be unique so as to specify a " |
|
"deterministic execution strategy. An ActionOrder value " |
|
"specifies a set of actions to be attempted and the order in " |
|
"which to attempt the set with respect to other ActionOrder " |
|
"sets. The FallbackOrder specifies the order in which to " |
|
"attempt the actions within the set.\n" |
|
"\n" |
|
"For example, {ActionOrder=1,FallbackOrder=1} is the backup " |
|
"action for {ActionOrder=1,FallbackOrder=0} and {ActionOrder=2," |
|
"FallbackOrder=1} is the backup action for {ActionOrder=2," |
|
"FallbackOrder=0}. In this example, {1,0} will be attempted " |
|
"and, if it fails or is otherwise inappropriate, {1,1} is then " |
|
"attempted. Regardless of which of these, if any, succeeds, " |
|
"{2,0} is then attempted, and so on.\n" |
|
"\n" |
|
"In an initiator role, if there is more than one action in the " |
|
"rule, the ActionOrder identified sets are executed as described " |
|
"above using the FallbackOrder to determin ethe order in which " |
|
"to attempt actions within a set, i.e., the additional actions " |
|
"with the same ActionOrder value are 'backup' actions in the " |
|
"event that the first action is not able to be completed " |
|
"successfully. Within each ActionOrder identified set. they are " |
|
"tried in the FallbackOrder until the list is exhausted or one " |
|
"completes successfully.\n" |
|
"\n" |
|
"In a responder role, it is an error to have more than one " |
|
"ActionOrder set in the rule however, there may be more than one " |
|
"action each identified by a unique FallbackOrder value. The " |
|
"additional actions provide alternative actions depending on the " |
|
"received proposals. For example, the same rule may be used to " |
|
"handle aggressive mode and main mode message flows with " |
|
"different actions. The first appropriate action in the list of " |
|
"actions is used by the responder.")] |
|
class CIM_SAActionInRule : CIM_PolicyActionInPolicyRule |
|
{ |
|
[Aggregate, Override ("GroupComponent"), Description ( |
|
"An SARule that contains one or more SAActions. " ) ] |
|
CIM_SARule REF GroupComponent; |
|
|
|
[Override ("PartComponent"), Min(1), Description ( |
|
"An SAAction subclass of PolicyAction which is aggregated " |
|
"into this SARule. " ) ] |
|
CIM_SAAction REF PartComponent; |
|
[Override ("ActionOrder"), Description ( |
|
"ActionOrder is an unsigned integer that indicates the " |
|
"relative position of this SAAction in the sequence of " |
|
"actions associated with a PolicyRule.\n" |
|
"\n" |
|
"In SAActionInRule, the ActionOrder is used in conjunction " |
|
"with the FallbackOrder to determine the order in which " |
|
"actions are attempted. The ActionOrder value identifies a " |
|
"set of actions. The combination of the ActionOrder and the " |
|
"FallbackOrder MUST be unique so as to specify a " |
|
"deterministic execution strategy.")] |
|
uint16 ActionOrder; |
|
[Description ( |
|
"FallbackOrder is an unsigned integer that indicates the " |
|
"order in which actions in the same ActionOrder-identified " |
|
"set are attempted. The lowest-numbered FallbackOrder within " |
|
"a set is the first attempted, others are used, in order as " |
|
"backups. The combination of the ActionOrder and the " |
|
"FallbackOrder MUST be unique so as to specify a " |
|
"deterministic execution strategy.")] |
|
uint16 FallbackOrder; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// IPsecPolicyForSystem |
|
// ================================================================== |
|
[Association, Description ( |
|
"IPsecPolicyForSystem associates an IPsec policy with a " |
|
"specific system (e.g., a host or a network device. If an " |
|
"IPProtocolEndpoint of a system does not have an " |
|
"IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the " |
|
"IPsecPolicyForSystem-associated IPsecPolicyGroup is used for " |
|
"that endpoint. " ) ] |
|
|
|
class CIM_IPsecPolicyForSystem : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Description ("A System to which the " |
|
"IPsecPolicyGroup applies. " ) ] |
|
CIM_System REF Antecedent; |
|
|
|
[Override ("Dependent"), Min(0), Max(1), |
|
Description ("The IPsecPolicyGroup that is to be used for " |
|
"endpoints that do not have an associated IPsecPolicyGroup.") ] |
|
CIM_IPsecPolicyGroup REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IPsecPolicyForEndpoint |
|
// ================================================================== |
|
[Association, Description ( |
|
"IPsecPolicyForEndpoint associates an IPsecPolicyGroup " |
|
"with a specific network interface. If an IPProtocolEndpoint " |
|
"of a system does not have an " |
|
"IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the " |
|
"IPsecPolicyForSystem associated IPsecPolicyGroup is used for " |
|
"that endpoint. " ) ] |
|
|
|
class CIM_IPsecPolicyForEndpoint : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Description ( |
|
"The IPProtocolEndpoint that identifies an interface " |
|
"to which the IPsecPolicyGroup applies.") ] |
|
CIM_IPProtocolEndpoint REF Antecedent; |
|
|
|
[Override ("Dependent"), Min (0), Max (1), Description ( |
|
"IPsecPolicyGroup used for the interface.") ] |
|
CIM_IPsecPolicyGroup REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// RuleForIPsecNegotiation |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"RuleForIPsecNegotiation associates an IPsecRule with the " |
|
"IPsecPolicyGroup that contains it. This is used to contain " |
|
"the phase 2 rules to control IKE negotiation. \n\n" |
|
"ContainingGroup is restricted to a cardinality of 1. This " |
|
"means that the IPsecRule instances are not sharable across " |
|
"multiple policy groups. " ) ] |
|
|
|
class CIM_RuleForIPsecNegotiation : CIM_PolicyRuleInPolicyGroup |
|
{ |
|
[Aggregate, Override ("GroupComponent"), Min(1), Max(1), |
|
Description ("An IPsecPolicyGroup that aggregates a set of " |
|
"policy rules. " ) ] |
|
CIM_IPsecPolicyGroup REF GroupComponent; |
|
|
|
[Override ("PartComponent"), Description ( |
|
"A policy rule aggregated into a set of policy rules, " |
|
"forming an atomic policy group. " ) ] |
|
CIM_IPsecRule REF PartComponent; |
|
}; |
|
|
|
|
|
// ================================================================== |
|
// RuleForIKENegotiation |
|
// ================================================================== |
|
[ Association, Aggregation, Description ( |
|
"RuleForIKENegotiation associates an IKERule with the " |
|
"IPsecPolicyGroup that contains it. This is used to control " |
|
"phase 1 IKE negotiation. \n\n" |
|
"ContainingGroup is restricted to a cardinality of 1. This " |
|
"means that the IKERule instances are not sharable across " |
|
"multiple policy groups. " ) ] |
|
|
|
class CIM_RuleForIKENegotiation : CIM_PolicyRuleInPolicyGroup |
|
{ |
|
[Aggregate, Override ("GroupComponent"), Min(1), Max(1), |
|
Description ("An IPsecPolicyGroup that aggregates a set of " |
|
"policy rules. " ) ] |
|
CIM_IPsecPolicyGroup REF GroupComponent; |
|
|
|
[Override ("PartComponent"), Description ( |
|
"A policy rule aggregated into a set of policy rules, " |
|
"forming an atomic policy group. " ) ] |
|
CIM_IKERule REF PartComponent; |
|
}; |
|
|
|
// ================================================================== |
|
// ContainedProposal |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"ContainedProposal holds the ordered list of SA proposals " |
|
"for a SANegotiationAction. " ) ] |
|
|
|
class CIM_ContainedProposal: CIM_PolicyComponent |
|
{ |
|
[Aggregate, Override ("GroupComponent"), Description ( |
|
"SANegotiationAction for this list of proposals. " ) ] |
|
CIM_SANegotiationAction REF GroupComponent; |
|
|
|
[Override ("PartComponent"), Description ( |
|
"SAProposal in this action. " ) ] |
|
CIM_SAProposal REF PartComponent; |
|
|
|
[Description ( |
|
"SequenceNumber indicates the ordering to be used when " |
|
"chosing from among the proposals; lower values are " |
|
"preferred by the sender. " ) ] |
|
uint16 SequenceNumber; |
|
}; |
|
|
|
// ================================================================== |
|
// FilterOfSecurityAssociation |
|
// ================================================================== |
|
[Association, Description ( |
|
"FilterOfSecurityAssociation associates a network traffic " |
|
"specification (i.e., a FilterList) with a set of " |
|
"SecurityAssociations to which the filter list applies. " ) ] |
|
|
|
class CIM_FilterOfSecurityAssociation : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min(1), Max(1), Description ( |
|
"FilterList describing the traffic to be matched against. " ) ] |
|
CIM_FilterList REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ("SecurityAssociation " |
|
"using the FilterList for its selector. " ) ] |
|
CIM_SecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEUsesCredentialManagementService |
|
// ================================================================== |
|
[Association, Description ( |
|
"IKEUsesCredentialManagementService defines the set of " |
|
"CredentialManagementService(s) that are trusted sources " |
|
"of credentials for IKE phase 1 negotiations. " ) ] |
|
|
|
class CIM_IKEUsesCredentialManagementService : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Description ( |
|
"CredentialManagementService trusted for the IKE " |
|
"negotiation.") ] |
|
CIM_CredentialManagementService REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ( |
|
"IKEService that is using the credentials issued by the " |
|
"trusted CredentialManagementService. " ) ] |
|
CIM_IKEService REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// TransformOfPreconfiguredAction |
|
// ================================================================== |
|
[ Association, Description ( |
|
"TransformOfPreconfiguredAction defines the transforms used " |
|
"by a preconfigured IPsec action.") ] |
|
|
|
class CIM_TransformOfPreconfiguredAction : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min(1), Max(3), |
|
Description ( |
|
"This defines the type of transform that the Preconfigured " |
|
"SA Action will be applied to. The cardinality enables an " |
|
"action to be applied to an AH, an ESP, or an IPCOMP " |
|
"transform. " ) ] |
|
CIM_SATransform REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ( |
|
"This defines the Preconfigured IPsec action to be applied " |
|
"to the AH, ESP, or IPCOMP transform. " ) ] |
|
CIM_PreconfiguredSAAction REF Dependent; |
|
|
|
[Description ( |
|
"The SPI property specifies the security parameter index to " |
|
"be used by the pre-configured action for the associated " |
|
"transform." ) ] |
|
uint32 SPI; |
|
}; |
|
|
|
// ================================================================== |
|
// SAProposalInSystem |
|
// ================================================================== |
|
[Association, Description ( |
|
"SAProposalInSystem provides the scoping relationship for " |
|
"SAProposals in a System. The SAProposal is weak to the " |
|
"System." ) ] |
|
|
|
class CIM_SAProposalInSystem : CIM_PolicyInSystem |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), Description ( |
|
"This property identifies a System scoping one or more " |
|
"proposals.") ] |
|
CIM_System REF Antecedent; |
|
|
|
[Override ("Dependent"), Weak, Description ( |
|
"An SAProposal that is in the System.")] |
|
CIM_SAProposal REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// SATransformInSystem |
|
// ================================================================== |
|
[Association, Description ( |
|
"SATransformInSystem provides the scoping relationship for " |
|
"SATRansforms in a System. The SATransform is weak to the " |
|
"System." ) ] |
|
|
|
class CIM_SATransformInSystem : CIM_PolicyInSystem |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), Description ( |
|
"This property identifies a System scoping one or more " |
|
"transforms.") ] |
|
CIM_System REF Antecedent; |
|
|
|
[Override ("Dependent"), Weak, Description ( |
|
"An SATransform that is in the System.")] |
|
CIM_SATransform REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// HostedPeerIdentityTable |
|
// ================================================================== |
|
[Association, Description ("HostedPeerIdentityTable provides the " |
|
"scoping relationship for PeerIdentityTable entries in a " |
|
"System. The PeerIdentityTable is weak to the System." ) ] |
|
|
|
class CIM_HostedPeerIdentityTable: CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), Description ( |
|
"This property identifies a System scoping one or more " |
|
"PeerIdentityTable instances.") ] |
|
CIM_System REF Antecedent; |
|
|
|
[Override ("Dependent"), Weak, Description ( |
|
"A PeerIdentityTable that is in the System.")] |
|
CIM_PeerIdentityTable REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// RuleThatGeneratedSA |
|
// ================================================================== |
|
[Association, Description ( |
|
"RuleThatGeneratedSA associates a SecurityAssociation with " |
|
"the rule used to generate (or negotiate) it.") ] |
|
|
|
class CIM_RuleThatGeneratedSA : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min (0), Max (1), |
|
Description ("SARule that led to the SecurityAssociation.") ] |
|
CIM_SARule REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("SecurityAssociation created using the rule.") ] |
|
CIM_SecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// TransformOfSecurityAssociation |
|
// ================================================================== |
|
[Association, Description ( |
|
"TransformOfSecurityAssociation maps an SA with the transform " |
|
"it uses. For security reasons, no keying material of the SA " |
|
"is exposed." ) ] |
|
|
|
class CIM_TransformOfSecurityAssociation : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), |
|
Description ("Transform of this SA.") ] |
|
CIM_SATransform REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("Security association.") ] |
|
CIM_IPsecSecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerGatewayOfSecurityAssociation |
|
// ================================================================== |
|
[Association, Description ( |
|
"PeerGatewayOfSecurityAssociation identifies the PeerGateway " |
|
"of an SA that has a security gateway as the peer.") ] |
|
|
|
class CIM_PeerGatewayOfSecurityAssociation : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Max (1), |
|
Description ("PeerGateway for the SA.") ] |
|
CIM_PeerGateway REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("Security association with the PeerGateway.") ] |
|
CIM_IPsecSecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEServicePeerGateway |
|
// ================================================================== |
|
[Association, Description ( |
|
"IKEServicePeerGateway provides the relationship between an " |
|
"IKEService and the list of PeerGateway instances that it " |
|
"uses in negotiating with security gateways.") ] |
|
|
|
class CIM_IKEServicePeerGateway : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), |
|
Description ("The PeerGateway") ] |
|
CIM_PeerGateway REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"The IKEService that uses information about the " |
|
"peer gateway.") ] |
|
CIM_IKEService REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEServiceForEndpoint |
|
// ================================================================== |
|
[Association, Description ( |
|
"IKEServiceForEndpoint provides the relationship " |
|
"showing which IKE service, if any, provides IKE " |
|
"negotiation services for which network interfaces.") ] |
|
|
|
class CIM_IKEServiceForEndpoint : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Max (1), |
|
Description ("The IKEService that performs IKE negotiation " |
|
"for the IPProtocolEndpoint.") ] |
|
CIM_IKEService REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("IPProtocolEndpoint for which services are " |
|
"provided.") ] |
|
CIM_IPProtocolEndpoint REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEServicePeerIdentityTable |
|
// ================================================================== |
|
[Association, Description ( |
|
"IKEServicePeerIdentityTable provides the relationship " |
|
"between an IKEService and a PeerIdentityTable that it " |
|
"uses to map between addresses and identities where " |
|
"required.") ] |
|
|
|
class CIM_IKEServicePeerIdentityTable: CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), |
|
Description ("The PeerIdentityTable.") ] |
|
CIM_PeerIdentityTable REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("The IKEService that uses the table.") ] |
|
CIM_IKEService REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IKESAUsedForPhase2 |
|
// ================================================================== |
|
[Association, Description ( |
|
"IKESAUsedForPhase2 associates a phase 1 " |
|
"IKESecurityAssociation with an " |
|
"IPsecSecurityAssociation that was negotiated using " |
|
"that Phase 1 SA.") ] |
|
|
|
class CIM_IKESAUsedForPhase2 : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Max (1), Description ( |
|
"Phase 1 SA that protected the negotiation of " |
|
"the Phase 2 SA.") ] |
|
CIM_IKESecurityAssociation REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"Phase 2 SA.") ] |
|
CIM_IPsecSecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerCredential |
|
// ================================================================== |
|
[Association, Description ( |
|
"PeerCredential is an association that identifies the " |
|
"credential of the peer corresponding to an IKE SA.") ] |
|
|
|
class CIM_PeerCredential : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Max (1), |
|
Description ("Credential of the peer.") ] |
|
CIM_Credential REF Antecedent; |
|
|
|
[Override ("Dependent"), |
|
Description ("Phase 1 SA for this peer.") ] |
|
CIM_IKESecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IPProtocolEndpointsProtectionSuite |
|
// ================================================================== |
|
[Association, Description ( |
|
"IPProtocolEndpointsProtectionSuite provides the " |
|
"relationship between an IPsecProtectionSuite and the scoping " |
|
"IPProtocolEndpoint for which the set of related SAs provide " |
|
"traffic protection. The IPsecProtectionSuite is weak to its " |
|
"IPProtocolEndpoint.") ] |
|
|
|
class CIM_IPProtocolEndpointsProtectionSuite: CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), |
|
Description ( |
|
"An IPProtocolEndpoint for which protection is provided.") ] |
|
CIM_IPProtocolEndpoint REF Antecedent; |
|
|
|
[Override ("Dependent"), Weak, Description ( |
|
"A protection suite.") ] |
|
CIM_IPsecProtectionSuite REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// SecurityAssociationBindsTo |
|
// ================================================================== |
|
[Association, Description ( |
|
"SecurityAssociationBindsTo associates an IPProtocolEndpoint " |
|
"with an active SecurityAssociation on that endpoint.") ] |
|
|
|
class CIM_SecurityAssociationBindsTo : CIM_BindsTo |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), |
|
Description ( |
|
"IPProtocolEndpoint representing the network " |
|
"interface on which an SA is active." ) ] |
|
CIM_IPProtocolEndpoint REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"Security association on the endpoint." ) ] |
|
CIM_SecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// ProvidesSA |
|
// ================================================================== |
|
[Association, Description ( |
|
"ProvidesSA represents the relationship between an " |
|
"IKEService that provides the negotiation functions " |
|
"and manages the associated security association." ) ] |
|
|
|
class CIM_ProvidesSA: CIM_ProvidesEndpoint |
|
{ |
|
[Override ("Antecedent"), Max (1), Description ( |
|
"The IKEService that provides the SA.")] |
|
CIM_IKEService REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"Security association provided by the service.") ] |
|
CIM_SecurityAssociation REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEIdentitysCredential |
|
// ================================================================== |
|
[Association, Description ( |
|
"IKEIdentitysCredential is an association that " |
|
"relates a set of credentials to their " |
|
"corresponding local IKE Identities." ) ] |
|
|
|
class CIM_IKEIdentitysCredential : CIM_UsersCredential |
|
{ |
|
[Override ("Antecedent"), Description ( |
|
"Credential of the Identity.") ] |
|
CIM_Credential REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"Identity associated with the credential.") ] |
|
CIM_IKEIdentity REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// EndpointHasLocalIKEIdentity |
|
// ================================================================== |
|
[Association, Description ( |
|
"EndpointHasLocalIKEIdentity associates an " |
|
"IPProtocolEndpoint with a set of IKE " |
|
"Identities for that may be used in negotiating " |
|
"SAs on the endpoint. " ) ] |
|
|
|
class CIM_EndpointHasLocalIKEIdentity : CIM_ElementAsUser |
|
{ |
|
[Override ("Antecedent"), Max (1), Description ( |
|
"IPProtocolEndpoint that has an IKE identity.") ] |
|
CIM_IPProtocolEndpoint REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"An IKE Identity for the endpoint.") ] |
|
CIM_IKEIdentity REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// CollectionHasLocalIKEIdentity |
|
// ================================================================== |
|
[Association, Description ( |
|
"CollectionHasLocalIKEIdentity associates a Collection " |
|
"of IPProtocolEndpoints with a set of IKE Identities " |
|
"that may be used in negotiating SAs for " |
|
"these endpoints.") ] |
|
|
|
class CIM_CollectionHasLocalIKEIdentity : CIM_ElementAsUser |
|
{ |
|
[Override ("Antecedent"), Max (1), Description ( |
|
"Collection that has an Identity.") ] |
|
CIM_Collection REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"IKE Identity used for the Collection.") ] |
|
CIM_IKEIdentity REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// ContainedTransform |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"ContainedTransform associates a proposal with its set " |
|
"of transforms. If multiple transforms of a given type are " |
|
"in a given proposal, these transforms are interpreted as " |
|
"alternatives -- logically ORed with each other. Sets of " |
|
"transforms of different types are logically ANDed. For " |
|
"example, a proposal aggregating two AH transforms and three " |
|
"ESP transforms means one of the AH transforms must be chosen " |
|
"AND one of the ESP transforms must be chosen.") ] |
|
|
|
class CIM_ContainedTransform : CIM_PolicyComponent |
|
{ |
|
[Aggregate, Override ("GroupComponent"), Description ( |
|
"Proposal containing transforms.") ] |
|
CIM_IPsecProposal REF GroupComponent; |
|
|
|
[Override ("PartComponent"), Min (1), Description ( |
|
"Transforms in the proposal.") ] |
|
CIM_SATransform REF PartComponent; |
|
|
|
[Description ( |
|
"SequenceNumber indicates the ordering to be used when " |
|
"choosing from among the transforms; lower values are " |
|
"preferred by the sender.")] |
|
uint16 SequenceNumber; |
|
}; |
|
|
|
// ================================================================== |
|
// ContainedSA |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"ContainedSA associates a protection suite with its member " |
|
"IPsec security associations. Security associations are " |
|
"contained in sending/receiving pairs and there may be any or " |
|
"all of an AH pair, ESP pair or an IPCOMP pair of SAs.") ] |
|
|
|
class CIM_ContainedSA : CIM_MemberOfCollection |
|
{ |
|
[Aggregate, Override ("Collection"), Min (1), Max (1), |
|
Description ( |
|
"Protection suite.") ] |
|
CIM_IPsecProtectionSuite REF Collection; |
|
|
|
[Override ("Member"), Min (2), Max (6), Description ( |
|
"Contained SAs.") ] |
|
CIM_IPsecSecurityAssociation REF Member; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerIdentityMember |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"PeerIdentityMember aggregates PeerIdentityEntry " |
|
"instances into a PeerIdentityTable. This is a " |
|
"weak aggregation.") ] |
|
|
|
class CIM_PeerIdentityMember : CIM_MemberOfCollection |
|
{ |
|
[Aggregate, Override ("Collection"), Min (1), Max (1), |
|
Description ( |
|
"Aggregating PeerIdentityTable.") ] |
|
CIM_PeerIdentityTable REF Collection; |
|
|
|
[Override ("Member"), Weak, Description ( |
|
"Table entry") ] |
|
CIM_PeerIdentityEntry REF Member; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerGatewayForTunnel |
|
// ================================================================== |
|
[Association, Description ( |
|
"PeerGatewayForTunnel identifies the PeerGateway to be used " |
|
"in constructing a tunnel. " ) ] |
|
|
|
class CIM_PeerGatewayForTunnel : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Description ( |
|
"PeerGateway for the SA. " ) ] |
|
CIM_PeerGateway REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"IPsecTunnelAction that requires a PeerGateway. " ) ] |
|
CIM_IPsecTunnelAction REF Dependent; |
|
|
|
[Description ("SequenceNumber indicates the ordering to be " |
|
"used when selecting a PeerGateway instance for an " |
|
"IPsecTunnelAction. Lower values are " |
|
"evaluated first. " ) ] |
|
uint16 SequenceNumber; |
|
}; |
|
|
|
// ================================================================== |
|
// PeerGatewayForPreconfiguredTunnel |
|
// ================================================================== |
|
[Association, Description ( |
|
"PeerGatewayForPreconfiguredTunnel identifies the PeerGateway " |
|
"to be used in constructing a preconfigured tunnel. " ) ] |
|
|
|
class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Max (1), Description ( |
|
"PeerGateway for the preconfigured SA. " ) ] |
|
CIM_PeerGateway REF Antecedent; |
|
|
|
[Override ("Dependent"), Description ( |
|
"PreconfiguredTunnelAction that requires a PeerGateway. " ) ] |
|
CIM_PreconfiguredTunnelAction REF Dependent; |
|
}; |
|
|
|
// ================================================================== |
|
// HostedPeerGatewayInformation |
|
// ================================================================== |
|
[Association, Description ( |
|
"HostedPeerGatewayInformation provides the scoping " |
|
"association for PeerGateway information used by IKE " |
|
"services to identify PeerGateways used in a policy." ) ] |
|
|
|
class CIM_HostedPeerGatewayInformation : CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), Min (1), Max (1), |
|
Description ( |
|
"Scoping System.") ] |
|
CIM_System REF Antecedent; |
|
|
|
[Override ("Dependent"), Weak, Description ( |
|
"PeerGateway.") ] |
|
CIM_PeerGateway REF Dependent; |
|
}; |
|
// |
|
|
|
// ================================================================== |
|
// IKEAutostartConfiguration |
|
// ================================================================== |
|
[Association, Description ("IKEAutostartConfiguration " |
|
"provides the relationship between an IKEService and a " |
|
"configuration set that it uses to automatically start a set " |
|
"of SAs.")] |
|
class CIM_IKEAutostartConfiguration: CIM_Dependency |
|
{ |
|
[Override ("Antecedent"), |
|
Description ("The configuration used.") ] |
|
CIM_AutostartIKEConfiguration REF Antecedent; |
|
[Override ("Dependent"), |
|
Description ("The IKEService that uses the configuration.") ] |
|
CIM_IKEService REF Dependent; |
|
[Description ("Active indicates whether the configuration set " |
|
"is currently active for the associated IKEService. That is, " |
|
"at boot time, the active configuration is used to autostart " |
|
"IKE negotitations and create static SAs as appropriate.")] |
|
boolean Active; |
|
}; |
|
|
|
// ================================================================== |
|
// IKEAutostartSetting |
|
// ================================================================== |
|
[Association, Description ("IKEAutostartSetting associates an " |
|
"IKEService and an AutostartIKESetting that it uses to " |
|
"automatically start negotiating one or more SAs.") ] |
|
class CIM_IKEAutostartSetting : CIM_ElementSetting |
|
{ |
|
[Override ("Element"), |
|
Description ("IKEService that uses the setting.") ] |
|
CIM_IKEService REF Element; |
|
|
|
[Override ("Setting"), Description ("Setting that tells the " |
|
"IKEService what to negotiate.") ] |
|
CIM_AutostartIKESetting REF Setting; |
|
}; |
|
|
|
// ================================================================== |
|
// AutostartIKESettingContext |
|
// ================================================================== |
|
[Association, Aggregation, Description ( |
|
"AutostartIKESettingContext aggregates the settings used to " |
|
"autostart SA negotiations into a configuration set.") ] |
|
class CIM_AutostartIKESettingContext : CIM_SystemSettingContext |
|
{ |
|
[Aggregate, Override ("Context"), |
|
Description ("A configuration set.") ] |
|
CIM_AutostartIKEConfiguration REF Context; |
|
|
|
[Override ("Setting"), Description ("A setting that is part " |
|
"of the configuration set.") ] |
|
CIM_AutostartIKESetting REF Setting; |
|
[Description ("SequenceNumber indicates the ordering to be " |
|
"used when starting negotiations or creating a static SA. " |
|
"A zero value indicates that order is not significant and " |
|
"settings may be applied in parallel with other settings. " |
|
"All other settings in the configuration are executed in " |
|
"sequence from lower values to high. Sequence numbers need " |
|
"not be unique in an AutostartIKEConfiguration and order is " |
|
"not significant for settings with the same sequence number.")] |
|
uint16 SequenceNumber; |
|
}; |
|
|
|
|
|
// =================================================================== |
|
// end of file |
|
// =================================================================== |