1 mike 1.2 // ===================================================================
2 // Title: Network MOF Specification 2.6 for IPsec Policy
3 // Filename: CIM_Network26_Add.mof
4 // Version: 2.6
5 // Release: 0
6 // Date: 05/22/2001
7 // ===================================================================
8 // Copyright "2001" Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release cited should always be noted.
17 // Authors: DMTF Network Working Group
18 // Editors: Victor Lortz, Lee Rafalow, John Strassner
19 // Last update: Lee Rafalow, 05/22/2001
20 //
21 // Description: These object classes define the IPsec policy model
22 mike 1.2 // for CIM and includes classes needed to represent
23 // IKE negotiations and the resulting security
24 // associations.
25 //
26 // The object classes below are listed in an order that
27 // avoids forward references. Required objects, defined
28 // by other working groups, are omitted.
29 //
30 // Changes to initial V2.5 "Preliminary Standard" Release for V2.6:
31 // CIMCR599 - Updates to IPsec Model to match IETF IPSP Model
32 // -Update IKERule & IPsecRule descriptions for static
33 // actions
34 // -Update IPsecPolicyForSystem to correct the System
35 // cardinality and descriptions
36 // -Change SAProposal and SATransform to be weak to
37 // System instead of weak to PolicyRepository by changing
38 // SAProposalInPolicyRepository to SAProposalInSystem and
39 // SATRansformInPolicyRepository to SATRansformInSystem
40 // -Add DFHandling to PreconfiguredTunnelAction and
41 // IPsecSecurityAssociation
42 // -Add UseReplayPrevention & ReplayPreventionWindowSize
43 mike 1.2 // to AHTransform & ESPTransform
44 // -Clarify SecurityAssociation description
45 // -Clarify SACondition description to include evaluation
46 // semantics
47 // -Clarify IPsecPolicyGroup description to include decision
48 // strategy semantics & use of PolicySetComponent instead of
49 // IPsecPolicyGroupInPolicyGroup
50 // -Clarify SAActionInRule to include action sequencing
51 // semantics
52 // -Clarify IKERejectAction description
53 // -Clarify PeerIdentityEntry.PeerIdentity description
54 // -Fixed PeerIdentityEntry.PeerAddress description
55 // -Fixed AutostartIKESetting description
56 // -Clarified IKEIdentity description
57 // -Clarified AutostartIKESettingContext description
58 // -Clarified IKEAutostartConfiguration.Active description
59 // -Changed CIM_IPsecContainedTransform to
60 // CIM_ContainedTransform
61 // -Fixed PeerGatewayForTunnel.SequenceNumber description
62 // -Added TransformOfPreconfiguredAction.SPI
63 // -Added SAActionInRule.FallbackOrder and change semantic
64 mike 1.2 // of ActionOrder
65 // -Added PeerGatewayForPreconfiguredTunnel &
66 // deleted PreconfiguredTunnelAction PeerGateway properties
67 // -Remove IPsecPolicyGroupInPolicyGroup in favor of
68 // PolicySetComponent
69 // -SaRule description changed to reflect use of
70 // PolicySetComponent.Priority instead of PolicyRule.Priority
71 // -Add override description for SARule.ExecutionStrategy
72 // CIMCR593 - Correct Typos in Propagated Keys in IPsec model
73 // -Correct PeerIdentityEntry propagated keys
74 // -Correct IPsecProtectionSuite propagated keys
75 //
76 // ===================================================================
77 // Generic Pragmas
78 // ===================================================================
79
80 #pragma Locale ("en_US")
81
82 // ==================================================================
83 // SACondition
84 // ==================================================================
85 mike 1.2 [Description (
86 "SACondition defines the conditions of rules for IKE or "
87 "IPsec negotiations. Conditions are associated with policy "
88 "rules via the SAConditionInRule aggregation. It is used as "
89 "an anchor point to associate various types of filters with "
90 "policy rules via the FilterOfSACondition association. It "
91 "also defines whether Credentials can be accepted for a "
92 "particular policy rule via the AcceptCredentialsFrom "
93 "association. \n"
94 "\n"
95 "Associated objects represent components of the condition "
96 "that may or may not apply at a given rule evaluation. For "
97 "example, an AcceptCredentialsFrom evaluation is only "
98 "performed when a credential is available to be evaluated "
99 "against the list of trusted credential management services. "
100 "Similarly, a PeerIDPayloadFilterEntry may only be evaluated "
101 "when an IDPayload value is available to compared with the "
102 "filter. Condition components that do not have corresponding "
103 "values with which to evaluate are evaluated as TRUE unless "
104 "the protocol has completed without providing the required "
105 "information.") ]
106 mike 1.2
107 class CIM_SACondition : CIM_PolicyCondition
108 {
109 };
110
111 // ==================================================================
112 // CredentialFilterEntry
113 // ==================================================================
114 [Description (
115 "A CredentialFilterEntry is used to define an equivalence "
116 "class that match credentials of IKE peers. Each "
117 "CredentialFilterEntry includes a MatchFieldName that is "
118 "interpreted according to the CredentialManagementService(s) "
119 "associated with the SACondition (AcceptCredentialsFrom). "
120 "These credentials can be X.509 certificates, Kerberos "
121 "tickets, or other types of credentials obtained during the "
122 "Phase 1 exchange. " ) ]
123
124 class CIM_CredentialFilterEntry : CIM_FilterEntryBase
125 {
126 [Description (
127 mike 1.2 "MatchFieldName specifies the sub-part of the credential to "
128 "match against MatchFieldValue."),
129 ModelCorrespondence {
130 "CIM_CredentialFilterEntry.MatchFieldValue" } ]
131 string MatchFieldName;
132
133 [Description (
134 "MatchFieldValue specifies the value to compare with the "
135 "MatchFieldName in a credential to determine if the "
136 "credential matches this filter entry."),
137 ModelCorrespondence {
138 "CIM_CredentialFilterEntry.MatchFieldName" } ]
139 string MatchFieldValue;
140
141 [Description (
142 "CredentialType is an enumerated 16-bit unsigned integer that "
143 "is used to specify the particular type of credential that is "
144 "being matched. " ),
145 ValueMap { "1", "2" },
146 Values { "X.509 Certificate", "Kerberos Ticket" } ]
147 uint16 CredentialType;
148 mike 1.2 };
149
150 // ==================================================================
151 // IPSOFilterEntry
152 // ==================================================================
153 [Description (
154 "An IPSOFilterEntry is used to match traffic based on the "
155 "IP Security Options header values (ClassificationLevel "
156 "and ProtectionAuthority) as defined in RFC1108. This type "
157 "of FilterEntry is used to adjust the IPsec encryption level "
158 "according to the IPSO classification of the traffic (e.g., "
159 "secret, confidential, restricted, etc." ) ]
160
161 class CIM_IPSOFilterEntry : CIM_FilterEntryBase
162 {
163 [Description (
164 "MatchConditionType specifies whether to match based on "
165 "traffic classification level or protection authority."),
166 ValueMap { "1", "2"},
167 Values {"ClassificationLevel", "ProtectionAuthority" },
168 ModelCorrespondence {
169 mike 1.2 "CIM_IPSOFilterEntry.MatchConditionValue" } ]
170 uint16 MatchConditionType;
171
172 [Description (
173 "This is the value of the IPSO field type. For "
174 "ClassificationLevel, the values are:\n"
175 "61=TopSecret, 90=Secret, 150=Confidential, "
176 "171=Unclassified.\n"
177 "\n"
178 "For ProtectionAuthority, the values are:\n"
179 "0=GENSER, 1=SIOP-ESI, 2=SCI, 3=NSA, 4=DOE."),
180 ModelCorrespondence {
181 "CIM_IPSOFilterEntry.MatchConditionType" } ]
182 uint16 MatchConditionValue;
183 };
184
185 // ==================================================================
186 // PeerIDPayloadFilterEntry
187 // ==================================================================
188 [Description (
189 "PeerIDPayloadFilterEntry defines filters used to match ID "
190 mike 1.2 "payload values from the IKE protocol exchange." ) ]
191
192 class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase
193 {
194 [Description (
195 "MatchIdentityType specifies the type of indentity provided "
196 "by the peer in the ID payload." ),
197 ValueMap
198 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
199 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
200 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
201 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
202 ModelCorrespondence {
203 "CIM_PeerIDPayloadFilterEntry.MatchIdentityValue" } ]
204 uint16 MatchIdentityType;
205
206 [Description (
207 "MatchIdentityValue is the filter value for comparison with "
208 "the ID payload, e,g, \"*@company.com\". The syntax may need "
209 "to be converted for comparison. For example, if the type "
210 "of identity is a distinguished name, \"DER_ASN1_DN,\" the "
211 mike 1.2 "MatchIdentityValue is represented by a DN string value "
212 "and this value must be converted into a DER-encoded string "
213 "before it can be matched against the values extracted from "
214 "IKE ID payloads at runtime (or vice-versa). " ),
215 ModelCorrespondence {
216 "CIM_PeerIDPayloadFilterEntry.MatchIdentityType" } ]
217 string MatchIdentityValue;
218 };
219
220
221 // ==================================================================
222 // IPsecPolicyGroup
223 // ==================================================================
224 [Description (
225 "IPsecPolicyGroup aggregates the set of rules of an IPsec "
226 "policy. These groups are weak to a System via the "
227 "PolicyGroupInSystem association. \n\n"
228 "The IPsecPolicyForSystem and IPsecPolicyForEndpoint "
229 "associations are used to specify the System and/or "
230 "IPProtocolEndpoints to which an IPsecPolicyGroup applies. "
231 "(Examples of a System and an IPProtocolEndpoint are a router "
232 mike 1.2 "and a router interface, respectively.)\n\n"
233 "The RuleForIKENegotiation aggregates the phase 1 IKE "
234 "negotiation rules that are part of the group; the "
235 "RuleForIPsecNegotiation aggregates the phase 2 IKE "
236 "negotiation rules. \n\n"
237 "The PolicySetComponent aggregation is used to define a "
238 "nested group of IPsec policy groups, with each policy group "
239 "containing one or more rules.\n\n"
240 "Any nested groups of rules are prioritized with respect to "
241 "one another and the aggregated rules are evaluated using a "
242 "'first match' decision strategy, i.e., when evaluating the "
243 "list of IKE rules, they are evaluated in priority order "
244 "until a match is found and when evaluating the list of "
245 "IPsec rules, they are evaluated in priority order until a "
246 "match is found." ) ]
247
248 class CIM_IPsecPolicyGroup: CIM_PolicyGroup
249 {
250 };
251
252 // ==================================================================
253 mike 1.2 // SARule
254 // ==================================================================
255 [Description (
256 "SARule is a base class for defining IKE and IPsec Rules. "
257 "Although concrete, it is not intended to be instantiated. "
258 "It defines a common anchor point for defining associations "
259 "and aggregations to conditions, actions, and security "
260 "associations (SAs) for both types of rules. Each valid "
261 "IPsecPolicyGroup must contain SARules that each have a "
262 "unique associated priority number in "
263 "PolicySetComponent.Priority. " ) ]
264
265 class CIM_SARule: CIM_PolicyRule
266 {
267 [Description (
268 "LimitNegotiation is used as part of processing either an "
269 "IKE or an IPsec rule. Before proceeding with either a "
270 "phase 1 or a phase 2 negotiation, this property "
271 "is checked to determine if the negotiation role of the rule "
272 "matches that defined for the negotiation being undertaken "
273 "(e.g., Initiator, Responder, or Both). If this check fails, "
274 mike 1.2 "then the IKE negotiation is stopped. Note that this only "
275 "applies to new IKE negotiations and has no effect on either "
276 "renegotiation or refresh operations with peers for which "
277 "an established SA already exists. " ),
278 ValueMap { "1", "2", "3" },
279 Values { "Initiator-only", "Responder-Only", "Either"} ]
280 uint16 LimitNegotiation;
281 [Override("ExecutionStrategy"), Description (
282 "ExecutionStrategy defines the strategy to be used in "
283 "executing the sequenced actions aggregated by this "
284 "PolicyRule.\n"
285 "\n"
286 "In SARule, ExecutionStrategy MUST be set to 'Do All'. "
287 "SAActionInRule.FallbackAction is used to control the "
288 "fallback behavior."),
289 Values {"2"}, ValueMap {"Do All"}]
290 uint16 ExecutionStrategy;
291 };
292
293 // ==================================================================
294 // IKERule
295 mike 1.2 // ==================================================================
296 [Description (
297 "IKERule contains the Conditions and Actions for IKE phase 1 "
298 "negotiations or to specify static actions such as Discard. "
299 "The conditions and actions are contained in one or more "
300 "IPsecPolicyGroup classes. ") ]
301
302 class CIM_IKERule : CIM_SARule
303 {
304 [Description (
305 "IdentityContexts is a string array that corresponds to an "
306 "ANDed list of values. If multiple strings exist, then they "
307 "are to be logically ORed with each other. This property is "
308 "used to establish a phase 1 IKE SA by using this property "
309 "in conjunction with the UseIKEIdentityType property in the "
310 "corresponding IKEAction. These two properties are then "
311 "used to find an appropriate IKEIdentity object for use on "
312 "the protected IPProtocolEndpoint." ),
313 ModelCorrespondence { "CIM_IKEIdentity.IdentityContexts" } ]
314 string IdentityContexts [];
315 };
316 mike 1.2
317 // ==================================================================
318 // IPsecRule
319 // ==================================================================
320 [Description (
321 "IPsecRule contains the Conditions and Actions for phase 2 "
322 "negotiations or to specify static actions such as Discard. "
323 "The conditions and actions are contained in one or more "
324 "IPsecPolicyGroup classes. " ) ]
325
326 class CIM_IPsecRule : CIM_SARule
327 {
328 };
329
330 // ==================================================================
331 // SAAction
332 // ==================================================================
333 [Description (
334 "SAAction is the base class for the various types of IKE or "
335 "IPsec actions and, although concrete, it is not intended to "
336 "be instantiated. It is used for aggregating different "
337 mike 1.2 "types of actions to IKE and IPsec rules. " ) ]
338
339 class CIM_SAAction : CIM_PolicyAction
340 {
341 [Description (
342 "DoActionLogging causes a log message to be generated when "
343 "the action is performed. " ) ]
344 boolean DoActionLogging;
345
346 [Description (
347 "DoPacketLogging causes a log message to be generated when "
348 "the action is applied to a packet. " ) ]
349 boolean DoPacketLogging;
350 };
351
352
353 // ==================================================================
354 // SAStaticAction
355 // ==================================================================
356 [Description (
357 "SAStaticAction is the base class for both IKE as well as "
358 mike 1.2 "IPsec actions that require no negotiation. Although this "
359 "class is concrete, it is not intended to be instantiated. " ) ]
360
361 class CIM_SAStaticAction : CIM_SAAction
362 {
363 [Description (
364 "LifetimeSeconds specifies how long the SA derived from this "
365 "action should be used. A value of 0 means infinite "
366 "lifetime. A non-zero value is typically used when the "
367 "negotiation fails. " ),
368 Units ("Seconds") ]
369 uint32 LifetimeSeconds;
370 };
371
372 // ==================================================================
373 // PreconfiguredSAAction
374 // ==================================================================
375 [Description (
376 "Subclasses of PreconfiguredSAAction is used to create SAs "
377 "using preconfigured, hard-wired algorithms and keys. No "
378 "negotiation is necessary. Note that the SPI for a "
379 mike 1.2 "preconfigured SA action is contained in the association, "
380 "TransformOfPreconfiguredAction. " ) ]
381
382 class CIM_PreconfiguredSAAction : CIM_SAStaticAction
383 {
384 [Description (
385 "ProtocolType defines the type of protocol being used by "
386 "this static action. " ) ]
387 string ProtocolType;
388
389 [Description (
390 "LifetimeKilobytes defines a traffic limit in kilobytes "
391 "that can be consumed before the SA is deleted. " ) ]
392 uint32 LifetimeKilobytes;
393 };
394
395 // ==================================================================
396 // PreconfiguredTransportAction
397 // ==================================================================
398 [Description (
399 "PreconfiguredTransportAction is used to create Transport "
400 mike 1.2 "SAs using preconfigured, hard-wired algorithms and keys. No "
401 "negotiation is necessary. Note that the SPI for a "
402 "preconfigured SA action is contained in the association, "
403 "TransformOfPreconfiguredAction. " ) ]
404
405 class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction
406 {
407 };
408
409 // ==================================================================
410 // PreconfiguredTunnelAction
411 // ==================================================================
412 [Description (
413 "PreconfiguredTunnelAction is used to create Tunnel SAs "
414 "using preconfigured, hard-wired algorithms and keys. No "
415 "negotiation is necessary. Note that the SPI for a "
416 "preconfigured SA action is contained in the association, "
417 "TransformOfPreconfiguredAction. The PeerGateway address "
418 "information is provided when the tunnel peer is a security "
419 "gateway." ) ]
420
421 mike 1.2 class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction
422 {
423 [Description (
424 "DFHandling controls how the Don't Fragment bit "
425 "is managed by the tunnel. " ),
426 ValueMap {"1", "2", "3"},
427 Values {"Copy", "Set", "Clear"}]
428 uint16 DFHandling;
429 };
430
431 // ==================================================================
432 // IPsecBypassAction
433 // ==================================================================
434 [Description (
435 "IPsecBypassAction is used to cause access to be permitted "
436 "without invoking the use of IPsec. Packets are forwarded "
437 "in the clear. " ) ]
438
439 class CIM_IPsecBypassAction : CIM_SAStaticAction
440 {
441 };
442 mike 1.2
443 // ==================================================================
444 // IPsecDiscardAction
445 // ==================================================================
446 [Description (
447 "IPsecDiscardAction is used to cause access to be denied. "
448 "That is, packets are simply discarded. " ) ]
449
450 class CIM_IPsecDiscardAction : CIM_SAStaticAction
451 {
452 };
453
454 // ==================================================================
455 // IKERejectAction
456 // ==================================================================
457 [Description ("IKERejectAction is used to cause an IKE "
458 "negotiation to be terminated. For example, it can be used "
459 "in conjunction with an address filter on UDP port 500 to "
460 "reduce DoS vulnerability or it can be used on a low priority "
461 "rule to explicitly define the default action for IKE "
462 "negotiations.")]
463 mike 1.2
464 class CIM_IKERejectAction : CIM_SAStaticAction
465 {
466 };
467
468 // ==================================================================
469 // SANegotiationAction
470 // ==================================================================
471 [Description (
472 "SANegotiationAction is the base class for negotiated SAs "
473 "and, although concrete, is not intended to be instantiated. "
474 "It specifies the common parameters that control the IKE "
475 "phase 1 and phase 2 key exchange negotiations. " ) ]
476
477 class CIM_SANegotiationAction : CIM_SAAction
478 {
479 [Description (
480 "MinLifetimeSeconds prevents certain denial of service "
481 "attacks based on very short SA lifetimes. "),
482 Units("Seconds")]
483 uint32 MinLifetimeSeconds;
484 mike 1.2
485 [Description (
486 "RefreshThresholdSeconds is the lifetime percentage at which "
487 "IKE should automatically attempt to acquire a new SA before "
488 "an existing SA expires. A random period may be added to a "
489 "calculated threshold to reduce network thrashing. " ) ]
490 uint8 RefreshThresholdSeconds;
491
492 [Description (
493 "IdleDurationSeconds is the time an SA can remain idle "
494 "before it is automatically deleted. The default (zero) "
495 "value indicates that there is no idle duration timer "
496 "and that the SA is deleted based upon the SA lifetime."),
497 Units("Seconds") ]
498 uint32 IdleDurationSeconds;
499
500 [Description (
501 "MinLifetimeKilobytes prevents certain denial of service "
502 "attacks based on very short SA lifetimes.")]
503 uint32 MinLifetimeKilobytes;
504
505 mike 1.2 [Description (
506 "RefreshThresholdKilobytes is the percentage of the SA"
507 "kilobyte limit remaining before the SA is refreshed. "
508 "A random value may be added to a calculated threshold "
509 "to reduce network thrashing. " ) ]
510 uint8 RefreshThresholdKilobytes;
511 };
512
513 // ==================================================================
514 // IKEAction
515 // ==================================================================
516 [Description (
517 "IKEAction specifies the parameters to use for an IKE "
518 "phase 1 negotiation. " ) ]
519
520 class CIM_IKEAction : CIM_SANegotiationAction
521 {
522 [Description (
523 "RefreshThresholdDerivedKeys is the percentage of the "
524 "derived key limit remaining before the IKE phase 1 "
525 "SA is renegotiated. The default value (zero) means there "
526 mike 1.2 "is no limit. " ) ]
527 uint8 RefreshThresholdDerivedKeys;
528
529 [Description (
530 "The ExchangeMode designates the mode IKE should use for "
531 "its key negotiations. " ),
532 ValueMap {"1", "2", "4"},
533 Values {"Base", "Main", "Aggressive" } ]
534 uint16 ExchangeMode;
535
536 [Description (
537 "UseIkeIdentityType is used in conjunction with the available "
538 "IKEIdentity instances for the IPProtocolEndpoint. "
539 "UseIKEIdentityType designates the type of IKE Identity to "
540 "use in sending an IKE message."),
541 ValueMap
542 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
543 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
544 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
545 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
546 ModelCorrespondence {
547 mike 1.2 "CIM_IKEIdentity.IdentityType" } ]
548 uint16 UseIKEIdentityType;
549
550 [Description ("The VendorID property is used to identify "
551 "vendor-defined key exchange GroupIDs."),
552 ModelCorrespondence {"CIM_IKEAction.AggressiveModeGroupID"}]
553 string VendorID;
554
555 [Description (
556 "When IKEAction.ExchangeMode is set to \"Aggressive\", "
557 "this property specifies the key exchange groupID to use "
558 "in a proposal. If the GroupID number is from the vendor-"
559 "specific range (32768-65535), the VendorID qualifies the "
560 "group number. Well-known group identifiers from RFC2412 "
561 "are: 0='Not Applicable', 1='DH768', 2='DH1024', "
562 "3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
563 ModelCorrespondence {"CIM_IKEAction.VendorID"}]
564 uint16 AggressiveModeGroupID;
565 };
566
567 // ==================================================================
568 mike 1.2 // IPsecAction
569 // ==================================================================
570 [Description (
571 "IPsecAction specifies the parameters to use for an IKE "
572 "phase 2 negotiation. " ) ]
573
574 class CIM_IPsecAction : CIM_SANegotiationAction
575 {
576 [Description (
577 "UsePFS indicates whether perfect forward secrecy "
578 "is required when refreshing keys.")]
579 boolean UsePFS;
580
581 [Description ("The VendorID property is used to identify "
582 "vendor-defined key exchange GroupIDs."),
583 ModelCorrespondence {"CIM_IPsecAction.GroupId"}]
584 string VendorID;
585
586 [Description (
587 "GroupId specifies the PFS group ID to use. This value is "
588 "only used if PFS is True and UseIKEGroup is False. "
589 mike 1.2 "If the GroupID number is from the vendor-specific range "
590 "(32768-65535), the VendorID qualifies the group number. "
591 "Well-known group identifiers from RFC2412 are:\n"
592 " 0='Not Applicable', 1='DH768', 2='DH1024', "
593 "3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
594 ModelCorrespondence {"CIM_IPsecAction.VendorID"}]
595 uint16 GroupId;
596
597 [Description (
598 "UseIKEGroup indicates that the phase 2 GroupId should be "
599 "the same as that used in the phase 1 protecting this phase "
600 "2 exchange. IF PFS is False, UseIKEGroup is ignored. " ) ]
601 boolean UseIKEGroup;
602
603 [Description (
604 "Granularity controls whether proposed selectors for an "
605 "SA should be:\n"
606 "- the subnet mask (Subnet)\n"
607 "- the IP address (Address)\n"
608 "- the IP address & the IP protocol (Protocol)\n"
609 "- the IP address, the IP protocol & the layer 4 port (Port) "
610 mike 1.2 "\n"
611 "as derived from the traffic that triggered the FilterList "
612 "of the Condition(s) that matched the rule."),
613 ValueMap {"1", "2", "3", "4"},
614 Values {"Subnet", "Address", "Protocol", "Port"}]
615 uint16 Granularity;
616 };
617
618
619 // ==================================================================
620 // IPsecTransportAction
621 // ==================================================================
622 [Description (
623 "IPsecTransportAction is used to specify transport "
624 "encapsulation mode. " ) ]
625
626 class CIM_IPsecTransportAction : CIM_IPsecAction
627 {
628 };
629
630
631 mike 1.2 // ==================================================================
632 // IPsecTunnelAction
633 // ==================================================================
634 [Description (
635 "IPsecTunnelAction is used to specify tunnel "
636 "encapsulation mode. " ) ]
637
638 class CIM_IPsecTunnelAction : CIM_IPsecAction
639 {
640 [Description (
641 "DFHandling controls how the Don't Fragment bit "
642 "is managed by the tunnel. " ),
643 ValueMap {"1", "2", "3"},
644 Values {"Copy", "Set", "Clear"}]
645 uint16 DFHandling;
646 };
647
648 // ==================================================================
649 // SATransform
650 // ==================================================================
651 [Abstract, Description (
652 mike 1.2 "SATransform is the base class for the various types of "
653 "transforms aggregated into phase 2 proposals. Note that "
654 "it is weak to its containing System." ) ]
655
656 class CIM_SATransform : CIM_Policy
657 {
658 [Propagated ("CIM_System.CreationClassName"), Key,
659 MaxLen (256), Description (
660 "The scoping System's CreationClassName.") ]
661 string SystemCreationClassName;
662
663 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
664 Description (
665 "The scoping System's Name.") ]
666 string SystemName;
667
668 [Key, MaxLen (256), Description (
669 "CreationClassName indicates the name of the class or "
670 "the subclass used in the creation of an instance. When "
671 "used with the other key properties of this class, this "
672 "property allows all instances of this class and its "
673 mike 1.2 "subclasses to be uniquely identified. " ) ]
674 string CreationClassName;
675
676 [Override ("CommonName"), Key, MaxLen (256), Description (
677 "The Name property provides a user-friendly unique "
678 "name for this SATransform. " ) ]
679 string CommonName;
680
681 [Description (
682 "MaxLifetimeSeconds specifies the maximum time the "
683 "IKE message sender proposes for an SA to be considered "
684 "valid after it has been created."),
685 Units ("Seconds") ]
686 uint32 MaxLifetimeSeconds;
687
688 [Description (
689 "MaxLifetimeKilobytes specifies the maximum kilobyte "
690 "lifetime the IKE message sender proposes for an SA to "
691 "be considered valid after it has been created. Each "
692 "proposal may use a different lifetime based upon the "
693 "strength of the encryption algorithm. " ) ]
694 mike 1.2 uint32 MaxLifetimeKilobytes;
695
696 [Description (
697 "The VendorID property is used to identify "
698 "vendor-defined transforms.") ]
699 string VendorID;
700 };
701
702 // ==================================================================
703 // AHTransform
704 // ==================================================================
705 [Description (
706 "AHTransform defines the parameters used for phase 2 "
707 "negotiation of an AH SA. " ) ]
708
709 class CIM_AHTransform : CIM_SATransform
710 {
711 [Description (
712 "AHTransformId is an enumeration that specifies the "
713 "hash algorithm to be used. " ),
714 ValueMap {"2", "3", "4"},
715 mike 1.2 Values {"MD5", "SHA-1", "DES"} ]
716 uint16 AHTransformId;
717
718 [Description (
719 "UseReplayPrevention causes the local peer to compute the "
720 "next sequence number when sending a packet or to check the "
721 "sequence number when receiving a packet. " ) ]
722 boolean UseReplayPrevention;
723
724 [Description (
725 "ReplayPreventionWindowsSizw specifies, in bits, the length "
726 "of the sliding window used by the replay prevention "
727 "mechanism. The value of this property is meaningless if "
728 "UseReplayPrevention is false. It is assumed that the window "
729 "size will be power of 2.")]
730 uint32 ReplayPreventionWindowSize;
731 };
732
733 // ==================================================================
734 // ESPTransform
735 // ==================================================================
736 mike 1.2 [Description (
737 "ESPTransform defines the parameters used for phase 2 "
738 "negotiation of an ESP SA. " ) ]
739
740 class CIM_ESPTransform : CIM_SATransform
741 {
742 [Description (
743 "IntegrityTransformId is an enumeration that specifies "
744 "the ESP integrity algorithm for the proposal. " ),
745 ValueMap {"0", "1", "2", "3", "4"},
746 Values {"None", "MD5", "SHA-1", "DES", "KPDK"} ]
747 uint16 IntegrityTransformId;
748
749 [Description (
750 "CipherTransformId is an enumeration that specifies the "
751 "ESP encryption algorithm for the proposal. " ),
752 ValueMap
753 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
754 Values {"DES_IV64", "DES", "3DES", "RC5", "IDEA", "CAST",
755 "Blowfish", "3-IDEA", "DES_IV32", "RC4", "NULL" }]
756 uint16 CipherTransformId;
757 mike 1.2
758 [Description (
759 "CipherKeyLength specifies, in bits, the key length for "
760 "the encryption algorithm. For algorithms with fixed "
761 "key lengths, this value is ignored.")]
762 uint16 CipherKeyLength;
763
764 [Description (
765 "CipherKeyRounds specifies the key rounds for the "
766 "encryption algorithm. Currently, key rounds are not "
767 "defined for any IPsec encryption algorithms. " ) ]
768 uint16 CipherKeyRounds;
769
770 [Description (
771 "UseReplayPrevention causes the local peer to compute the "
772 "next sequence number when sending a packet or to check the "
773 "sequence number when receiving a packet. " ) ]
774 boolean UseReplayPrevention;
775
776 [Description (
777 "ReplayPreventionWindowsSizw specifies, in bits, the length "
778 mike 1.2 "of the sliding window used by the replay prevention "
779 "mechanism. The value of this property is meaningless if "
780 "UseReplayPrevention is false. It is assumed that the window "
781 "size will be power of 2.")]
782 uint32 ReplayPreventionWindowSize;
783 };
784
785
786 // ==================================================================
787 // IPCOMPTransform
788 // ==================================================================
789 [Description (
790 "IPCOMPTransform specifies the compression algorithm "
791 "to use. " ) ]
792
793 class CIM_IPCOMPTransform : CIM_SATransform
794 {
795 [Description (
796 "The Algorithm is an enumeration that designates the "
797 "IPCOMP compression algorithm to use. OUI designates a "
798 "vendor-specific algorithm."),
799 mike 1.2 ValueMap {"1", "2", "3", "4"},
800 Values {"OUI", "DEFLATE", "LZS", "V42BIS"}]
801 uint16 Algorithm;
802
803 [Description (
804 "DictionarySize is an optional field that specifies the "
805 "log2 maximum size of the dictionary. " ) ]
806 uint16 DictionarySize;
807
808 [Description (
809 "Private compression algorithm, used when TransformId "
810 "is OUI. " ) ]
811 uint32 PrivateAlgorithm;
812 };
813
814 // ==================================================================
815 // SAProposal
816 // ==================================================================
817 [Abstract, Description (
818 "SAProposal is a base class defining the common "
819 "properties of and anchoring common associations "
820 mike 1.2 "for IKE phase 1 and phase 2 (IPsec) proposals.") ]
821
822 class CIM_SAProposal : CIM_Policy
823 {
824 [Propagated ("CIM_System.CreationClassName"), Key,
825 MaxLen (256), Description (
826 "The scoping System's CreationClassName.") ]
827 string SystemCreationClassName;
828
829 [Propagated ("CIM_System.Name"), Key,
830 MaxLen (256), Description (
831 "The scoping System's Name.") ]
832 string SystemName;
833
834 [Key, MaxLen (256), Description (
835 "CreationClassName indicates the name of the class "
836 "or the subclass used in the creation of an "
837 "instance. When used with the other key properties of "
838 "this class, this property allows all instances of this "
839 "class and its subclasses to be uniquely identified.") ]
840 string CreationClassName;
841 mike 1.2
842 [Key, MaxLen (256), Description (
843 "The Name property uniquely identifies the "
844 "CIM_SAProposal.") ]
845 string Name;
846 };
847
848 // ==================================================================
849 // IKEProposal
850 // ==================================================================
851 [Description ("IKEProposal contains the parameters necessary "
852 "to drive the phase 1 IKE negotiation.") ]
853
854 class CIM_IKEProposal : CIM_SAProposal
855 {
856 [Description ("LifetimeDerivedKeys specifies the number of "
857 "times a phase 1 key will be used to derive a phase 2 "
858 "(IPsec) key. A value of 0 indicates that there is no limit "
859 "to the number of phase 2 keys that can be derived from the "
860 "phase 1 key.") ]
861 uint32 LifetimeDerivedKeys ;
862 mike 1.2
863 [Description ("CipherAlgorithm is an enumeration that "
864 "specifies the proposed encryption algorithm."),
865 ValueMap { "1", "2", "3", "4", "5", "6" },
866 Values { "DES", "IDEA", "Blowfish", "RC5", "3DES",
867 "CAST"}]
868 uint16 CipherAlgorithm;
869
870 [Description ("HashAlgorithm is an enumeration that specifies "
871 "the proposed hash function."),
872 ValueMap {"1", "2", "3"},
873 Values {"MD5", "SHA-1", "Tiger"}]
874 uint16 HashAlgorithm;
875
876 [Description ("PRFAlgorithm specifies the pseudo-random "
877 "function IKE should use. Currently, no such functions are "
878 "defined.")]
879 uint16 PRFAlgorithm;
880
881 [Description ("The VendorID property is used to identify "
882 "vendor-defined key exchange GroupIDs."),
883 mike 1.2 ModelCorrespondence {"CIM_IKEProposal.GroupId"}]
884 string VendorID;
885
886 [Description ("When IKEAction.ExchangeMode is set to "
887 "\"Base\" or to \"Main,\" the GroupId specifies the key "
888 "exchange group ID to use in a proposal, otherwise, "
889 "GroupId is set to 0, \"Not Applicable,\" and ignored. "
890 "If the GroupID number is from the vendor-specific range "
891 "(32768-65535), the VendorID qualifies the group number. "
892 "Well-known group identifiers from RFC2412 are:\n"
893 " 0='Not Applicable', 1='DH768', 2='DH1024', "
894 "3='ECC2N155', 4='ECC2N185', and 5='DH1536'"),
895 ModelCorrespondence {"CIM_IKEProposal.VendorID"}]
896 uint16 GroupId;
897
898 [Description ("AuthenticationMethod is an enumeration that "
899 "specifies the authentication method to use for the "
900 "proposal. If the value 0 (Any) is used, then the proposal "
901 "should be multiplied in the IKE proposal list by as many "
902 "authentication methods as correspond to credentials on the "
903 "system (e.g., if the system has a preshared key and a "
904 mike 1.2 "certificate, then the proposal will be repeated twice -- "
905 "once for each method)."),
906 ValueMap { "0", "1", "2", "3", "4", "5", "6" },
907 Values {"Any", "Preshared", "DSS_Signatures",
908 "RSA_Signatures", "RSA_Encryption", "Revised_RSA_Encryption",
909 "Kerberos" } ]
910 uint16 AuthenticationMethod;
911
912 [Description ("MaxLifetimeSeconds specifies the maximum time "
913 "the IKE message sender proposes for an SA to be considered "
914 "valid after it has been created."), Units("Seconds") ]
915 uint32 MaxLifetimeSeconds;
916
917 [Description ("MaxLifetimeKilobytes specifies the maximum "
918 "kilobyte lifetime the IKE message sender proposes for an SA "
919 "to be considered valid after it has been created. Each "
920 "proposal may use a different lifetime based upon the "
921 "strength of the encryption algorithm.") ]
922 uint32 MaxLifetimeKilobytes;
923 };
924
925 mike 1.2 // ==================================================================
926 // IPsecProposal
927 // ==================================================================
928 [Description ("IPsecProposal aggregates the transform list "
929 "that specify the phase 2 negotiation proposals for "
930 "transform parameters.") ]
931
932 class CIM_IPsecProposal : CIM_SAProposal
933 {
934 };
935
936 // ==================================================================
937 // IKEService
938 // ==================================================================
939 [Description (
940 "Derived from NetworkService, IKEService represents the "
941 "functions performed during IKE phase 1 and phase 2 "
942 "negotiations. An IKEService instance provides services "
943 "for IPProtocolEndpoints on a System.") ]
944
945 class CIM_IKEService: CIM_NetworkService
946 mike 1.2 {
947 };
948
949 // ==================================================================
950 // PeerGateway
951 // ==================================================================
952 [Description ("PeerGateway identifies a security gateway with "
953 "which an IKE Service negotiates.") ]
954
955 class CIM_PeerGateway: CIM_LogicalElement
956 {
957 [Propagated ("CIM_System.CreationClassName"), Key,
958 MaxLen (256), Description (
959 "The scoping System's CreationClassName. ") ]
960 string SystemCreationClassName;
961
962 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
963 Description ("The scoping System's Name.") ]
964 string SystemName;
965
966 [Key, MaxLen (256), Description (
967 mike 1.2 "CreationClassName indicates the name of the class or the "
968 "subclass used in the creation of an instance. When used "
969 "with the other key properties of this class, this property "
970 "allows all instances of this class and its subclasses to "
971 "be uniquely identified." ) ]
972 string CreationClassName;
973
974 [Override ("Name"), Key, MaxLen (256),
975 Description (
976 "The Name property uniquely identifies the PeerGateway "
977 "instance.") ]
978 string Name;
979
980 [Description ("The PeerIdentityType specifies the type of the "
981 "Peer's IKE Identity."),
982 ValueMap
983 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
984 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
985 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
986 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
987 ModelCorrespondence {"CIM_PeerGateway.PeerIdentity"}]
988 mike 1.2 uint16 PeerIdentityType;
989
990 [Description ("PeerIdentity contains a string encoding of the "
991 "Identity payload for the security gateway."),
992 ModelCorrespondence {"CIM_PeerGateway.PeerIdentityType"}]
993 string PeerIdentity;
994 };
995
996 // ==================================================================
997 // PeerIdentityTable
998 // ==================================================================
999 [Description ("PeerIdentityTable aggregates table entries "
1000 "that provide mappings between identities and their "
1001 "addresses.") ]
1002
1003 class CIM_PeerIdentityTable: CIM_Collection
1004 {
1005 [Propagated ("CIM_System.CreationClassName"), Key,
1006 MaxLen (256), Description (
1007 "The scoping System's CreationClassName. ") ]
1008 string SystemCreationClassName;
1009 mike 1.2
1010 [Propagated ("CIM_System.Name"), Key, MaxLen (256),
1011 Description ("The scoping System's Name.") ]
1012 string SystemName;
1013
1014 [Key, MaxLen (256), Description (
1015 "CreationClassName indicates the name of the class or the "
1016 "subclass used in the creation of an instance. When used "
1017 "with the other key properties of this class, this property "
1018 "allows all instances of this class and its subclasses to "
1019 "be uniquely identified." ) ]
1020 string CreationClassName;
1021
1022 [Key, MaxLen (256), Description ("The Name property uniquely "
1023 "identifies the PeerIdentityTable." ) ]
1024 string Name;
1025 };
1026
1027 // ==================================================================
1028 // PeerIdentityEntry
1029 // ==================================================================
1030 mike 1.2 [Description ("A PeerIdentityEntry in a PeerIdentityTable "
1031 "provides the mappings between peer's addresses and "
1032 "identities." ) ]
1033
1034 class CIM_PeerIdentityEntry: CIM_LogicalElement
1035 {
1036 [Propagated ("CIM_PeerIdentityTable.SystemCreationClassName" ),
1037 Key, MaxLen (256), Description (
1038 "The scoping System's CreationClassName. " ) ]
1039 string SystemCreationClassName;
1040
1041 [Propagated ("CIM_PeerIdentityTable.SystemName"), Key,
1042 MaxLen (256), Description ("The scoping System's Name." ) ]
1043 string SystemName;
1044
1045 [Propagated ("CIM_PeerIdentityTable.CreationClassName"), Key,
1046 MaxLen (256), Description (
1047 "The scoping PeerIdentityTable CreationClassName.") ]
1048 string TableCreationClassName;
1049
1050 [Propagated ("CIM_PeerIdentityTable.Name"), Key,
1051 mike 1.2 MaxLen (256), Description (
1052 "The scoping PeerIdentityTable Name." ) ]
1053 string TableName;
1054
1055 [Key, MaxLen (256), Description (
1056 "CreationClassName indicates the name of the class or the "
1057 "subclass used in the creation of an instance. When used "
1058 "with the other key properties of this class, this property "
1059 "allows all instances of this class and its subclasses to "
1060 "be uniquely identified.") ]
1061 string CreationClassName;
1062
1063 [Key, Description ("The PeerIdentityType specifies the type "
1064 "of the Peer's IKE Identity."),
1065 ValueMap
1066 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
1067 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
1068 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
1069 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
1070 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentity"}]
1071 uint16 PeerIdentityType;
1072 mike 1.2
1073 [Key, Description ("PeerIdentity contains a string encoding "
1074 "of the Identity payload for the peer."),
1075 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerIdentityType"}]
1076 string PeerIdentity;
1077
1078 [Key, Description (
1079 "An enumeration that describes the format of the PeerAddress "
1080 "property. Addresses that can be formatted in IPv4 format, "
1081 "must be formatted that way to ensure mixed IPv4/IPv6 "
1082 "support."),
1083 ValueMap { "0", "1", "2" },
1084 Values { "Unknown", "IPv4", "IPv6" },
1085 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddress"}]
1086 uint16 PeerAddressType;
1087
1088 [Key, Description (
1089 "The string representation of the IP address of the peer "
1090 "formatted according to the appropriate convention as "
1091 "defined in the PeerAddressType property of this class "
1092 "(e.g., 171.79.6.40)."),
1093 mike 1.2 ModelCorrespondence {"CIM_PeerIdentityEntry.PeerAddressType"}]
1094 string PeerAddress;
1095 };
1096
1097 // ==================================================================
1098 // IPsecProtectionSuite
1099 // ==================================================================
1100 [Description ("IPsecProtectionSuite represents the collection "
1101 "of SAs negotiated as a set by IKE. A protection suite may "
1102 "consist of up to 6 individual SAs (incoming and outgoing "
1103 "SAs for AH, ESP, and IPCOMP)") ]
1104
1105 class CIM_IPsecProtectionSuite : CIM_Collection
1106 {
1107 [Key, MaxLen (256), Description (
1108 "CreationClassName indicates the name of the class or the "
1109 "subclass used in the creation of an instance. When used "
1110 "with the other key properties of this class, this property "
1111 "allows all instances of this class and its subclasses to "
1112 "be uniquely identified.") ]
1113
1114 mike 1.2 string CreationClassName;
1115 [Key, MaxLen (256), Description (
1116 "The Name property uniquely identifies the Service and "
1117 "provides an indication of the functionality that is "
1118 "managed. This functionality is described in more detail in "
1119 "the object's Description property. ") ]
1120 string Name;
1121
1122 [Propagated ("CIM_IPProtocolEndpoint.SystemCreationClassName"),
1123 Key, MaxLen (256), Description (
1124 "The scoping System's CreationClassName. ") ]
1125 string SystemCreationClassName;
1126
1127 [Propagated ("CIM_IPProtocolEndpoint.SystemName"), Key,
1128 MaxLen (256), Description ("The scoping System's Name.") ]
1129 string SystemName;
1130
1131 [Propagated ("CIM_IPProtocolEndpoint.CreationClassName"), Key,
1132 MaxLen (256), Description (
1133 "The scoping IPProtocolEndpoint's CreationClassName. ") ]
1134 string SAPCreationClassName;
1135 mike 1.2
1136 [Propagated ("CIM_IPProtocolEndpoint.Name"), Key,
1137 MaxLen (256), Description (
1138 "The scoping IPProtocolEndpoint's Name.") ]
1139 string SAPName;
1140 };
1141
1142 // ==================================================================
1143 // IKEIdentity
1144 // ==================================================================
1145 [Description ("IKEIdentity is used to represent the "
1146 "identities that may be used for an IPProtocolEndpoint (or "
1147 "collection of IPProtocolEndpoints) to identify the "
1148 "IKEService in IKE phase 1 negotiations. The policy "
1149 "IKEAction.UseIKEIdentityType specifies which type of the "
1150 "available identities to use in a negotiation exchange and "
1151 "the IKERule.IdentityContexts specifies the match values to "
1152 "be used, along with the local address, in selecting the "
1153 "appropriate identity for a negotiation. The ElementID "
1154 "property value should be that of either the "
1155 "IPProtocolEndpoint or Collection of endpoints as "
1156 mike 1.2 "appropriate.") ]
1157
1158 class CIM_IKEIdentity : CIM_UsersAccess
1159 {
1160 [Description ("The IdentityType specifies the type of IKE "
1161 "Identity."),
1162 ValueMap
1163 {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"},
1164 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET",
1165 "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE",
1166 "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"},
1167 ModelCorrespondence {"CIM_IKEAction.UseIKEIdentity",
1168 "CIM_IKEIdentity.IdentityValue"}]
1169 uint16 IdentityType;
1170
1171 [Description ("IdentityValue contains a string encoding of "
1172 "the Identity payload. For IKEIdentity instances that are "
1173 "address types, the IdentityValue string value may be "
1174 "omitted and the associated IPProtocolEndpoint or "
1175 "appropriate member of the Collection of endpoints is used."),
1176 ModelCorrespondence {"CIM_IKEIdentity.IdentityType"}]
1177 mike 1.2 string IdentityValue;
1178
1179 [Description (
1180 "The IdentityContexts property is used to constrain the use "
1181 "of IKEIdentity instances to match that specified in the "
1182 "IKERule.IdentityContexts. The IdentityContexts are "
1183 "formatted as policy roles and role combinations. Each "
1184 "value represents one context or context combination. Since "
1185 "this is a multi-valued property, more than one context or "
1186 "combination of contexts can be associated with a single "
1187 "IKEIdentity. Each value is a string of the form:\n"
1188 " <ContextName>[&&<ContextName>]*\n"
1189 "where the individual context names appear in alphabetical "
1190 "order (according to the collating sequence for UCS-2). "
1191 "If one or more values in the IKERule.IdentityContexts array "
1192 "match one or more IKEIdentity.IdentityContexts then the "
1193 "identity's context matches. (That is, each value of the "
1194 "IdentityContext array is an ORed condition.) In "
1195 "combination with the address of the IPProtocolEndpoint and "
1196 "IKEAction.UseIKEIdentityType, there should be 1 and only 1 "
1197 "IKEIdentity." ),
1198 mike 1.2 ModelCorrespondence {"CIM_IKERule.IdentityContexts" } ]
1199 string IdentityContexts [];
1200 };
1201
1202 // ==================================================================
1203 // SecurityAssociation
1204 // ==================================================================
1205 [Description ("SecurityAssociation (SA) subclasses are used "
1206 "to represent the protocol endpoint of the secure connection "
1207 "established with the IKE/ISAKMP protocol. An SA is used for "
1208 "each direction of flow.") ]
1209
1210 class CIM_SecurityAssociation : CIM_ProtocolEndpoint
1211 {
1212 [Description (
1213 "TimeOfCreation records when the SA was created")]
1214 datetime TimeOfCreation;
1215
1216 [Description ("LifetimeSeconds specifies the maximum time SA "
1217 "will be considered valid after it has been created."),
1218 Units("Seconds") ]
1219 mike 1.2 uint32 LifetimeSeconds;
1220
1221 [Description ("RefreshThresholdSeconds is the lifetime "
1222 "percentage at which IKE should automatically attempt to "
1223 "acquire a new SA before the existing SA expires. A random "
1224 "period may be added to a calculated threshold to reduce "
1225 "network thrashing.")]
1226 uint8 RefreshThresholdSeconds;
1227
1228 [Description ("LastAccessed enables deletion if SA is idle "
1229 "too long.")]
1230 datetime LastAccessed;
1231
1232 [Description ("IdleDurationSeconds specifies how long the SA "
1233 "can be idle before it is deleted. The default value, 0, "
1234 "indicates that there is no idle time out period."),
1235 Units("Seconds")]
1236 uint32 IdleDurationSeconds;
1237
1238 [Description ("How many bytes have been protected by this SA")]
1239 uint32 ByteCount;
1240 mike 1.2 [Description ("LifetimeKilobytes specifies the maximum number "
1241 "of kilobytes of data traffic to be protected by the SA. It "
1242 "is deleted SA if LifetimeKilobyte value is exceeded.")]
1243 uint32 LifetimeKilobytes;
1244
1245 [Description ("RefreshThresholdKilobytes is the ByteCount "
1246 "value, expressed as a percentage of the LifetimeKilobytes, "
1247 "at which IKE should begin to renegotiate a new SA. A "
1248 "random value may be added to the calculated threshold to "
1249 "reduce network thrashing.")]
1250 uint8 RefreshThresholdKilobytes;
1251
1252 [Description (
1253 "DoPacketLogging causes a log to be kept of traffic "
1254 "processed by the SA." )]
1255 boolean DoPacketLogging;
1256 };
1257
1258 // ==================================================================
1259 // IKESecurityAssociation
1260 // ==================================================================
1261 mike 1.2 [Description ("IKESecurityAssociation is the SA used by IKE "
1262 "to protect key negotiation traffic.") ]
1263
1264 class CIM_IKESecurityAssociation : CIM_SecurityAssociation
1265 {
1266 [Description ("Identifier of the IKE phase 1 negotiation "
1267 "initiator. Combined with the ResponderCookie, this value,"
1268 "in string form, may be used to construct the value of the "
1269 "key field 'Name'." ) ]
1270 uint64 InitiatorCookie;
1271
1272 [Description ("Identifier of the IKE phase 1 negotiation "
1273 "responder. Combined with the InitiatorCookie, this value,"
1274 "in string form, may be used to construct the value of the "
1275 "key field 'Name'." ) ]
1276 uint64 ResponderCookie;
1277
1278 [Description ("How many phase 2 derived keys have been "
1279 "negotiated with this SA." ) ]
1280 uint32 DerivedKeyCount;
1281
1282 mike 1.2 [Description ("Delete SA if more than LiftetimeDerivedKeys "
1283 "phase 2 keys derived. A zero value indicates that there is"
1284 "no limit to the number of phase 2 derived keys." ) ]
1285 uint32 LifetimeDerivedKeys;
1286
1287 [Description ("Percentage of LifetimeDerivedKeys at which "
1288 "SA should be refreshed." ) ]
1289 uint8 RefreshThresholdDerivedKeys;
1290
1291 [Description ("CipherAlgorithm is an enumeration that "
1292 "specifies the proposed encryption algorithm."),
1293 ValueMap { "1", "2", "3", "4", "5", "6" },
1294 Values
1295 {"DES", "IDEA", "Blowfish", "RC5", "3DES", "CAST"}]
1296 uint16 CipherAlgorithm;
1297
1298 [Description ("HashAlgorithm is an enumeration that specifies "
1299 "the proposed hash function."),
1300 ValueMap {"1", "2", "3"},
1301 Values {"MD5", "SHA-1", "Tiger" } ]
1302 uint16 HashAlgorithm;
1303 mike 1.2
1304 [Description ("GroupId specifies the key exchange group ID. "
1305 "If the GroupID number is from the vendor-specific range "
1306 "(32768-65535), the VendorID qualifies the group number. "
1307 "Well-known group identifiers from RFC2412 are:\n"
1308 "1='DH768', 2='DH1024', 3='ECC2N155', 4='ECC2N185', and "
1309 "5='DH1536'"),
1310 ModelCorrespondence {"CIM_IKESecurityAssociation.VendorID"}]
1311 uint16 GroupId;
1312
1313 [Description ("VendorID identifies the vendor ID for "
1314 "vendor-defined algorithms."),
1315 ModelCorrespondence {"CIM_IKESecurityAssociation.GroupId"}]
1316 string VendorID;
1317 };
1318
1319
1320 // ==================================================================
1321 // IPsecSecurityAssociation
1322 // ==================================================================
1323 [Description ("IPsecSecurityAssociation is used to represent "
1324 mike 1.2 "both negotiated and static SAs that correspond to AH, ESP, "
1325 "or IPCOMP.") ]
1326
1327 class CIM_IPsecSecurityAssociation : CIM_SecurityAssociation
1328 {
1329 [Description ("SPI contains the Security Parameter Index of "
1330 "the SA. This value in string form may also be used in "
1331 "the key field 'Name' inherited from ServiceAccessPoint. ")]
1332 uint32 SPI;
1333
1334 [Description ("EncapsulationMode indicates whether the "
1335 "security association is for a transport or tunnel "
1336 "encapsulation mode."),
1337 ValueMap {"1", "2"},
1338 Values {"Tunnel", "Transport"}]
1339 uint16 EncapsulationMode;
1340
1341 [Description (
1342 "DFHandling controls how the Don't Fragment bit "
1343 "is managed by the tunnel. " ),
1344 ValueMap {"1", "2", "3"},
1345 mike 1.2 Values {"Copy", "Set", "Clear"}]
1346 uint16 DFHandling;
1347 };
1348
1349 // ==================================================================
1350 // DiscardSecurityAssociation
1351 // ==================================================================
1352 [Description ("DiscardSecurityAssociation is the SA type that "
1353 "causes packets to be dropped.") ]
1354
1355 class CIM_DiscardSecurityAssociation: CIM_SecurityAssociation
1356 {
1357 };
1358 // ==================================================================
1359 // BypassSecurityAssociation
1360 // ==================================================================
1361 [Description ("BypassSecurityAssociation is the SA type that "
1362 "causes packets to be sent in the clear.") ]
1363
1364 class CIM_BypassSecurityAssociation: CIM_SecurityAssociation
1365 {
1366 mike 1.2 };
1367
1368 // ==================================================================
1369 // AutostartIKEConfiguration
1370 // ==================================================================
1371 [Description ("AutostartIKEConfiguration object allows the "
1372 "grouping of sets of AutostartIKESetting instances.") ]
1373 class CIM_AutostartIKEConfiguration : CIM_SystemConfiguration
1374 {
1375 };
1376
1377 // ==================================================================
1378 // AutostartIKESetting
1379 // ==================================================================
1380 [Description ("AutostartIKESetting instances are used to "
1381 "automatically initiate IKE negotiations with peers (or "
1382 "statically create an SA) as specified in the "
1383 "AutostartIKESetting properties. Appropriate actions are "
1384 "initiated according to the policy that matches the setting "
1385 "parameters.") ]
1386 class CIM_AutostartIKESetting : CIM_SystemSetting
1387 mike 1.2 {
1388 [Description (
1389 "Phase1Only is used to limit the IKE negotiation to just "
1390 "setting up a phase 1 security association. When set to "
1391 "False, both phase 1 and 2 negotiations are initiated.") ]
1392 boolean Phase1Only;
1393 [Description (
1394 "An enumeration that describes the format of the source and "
1395 "destination address properties."),
1396 ValueMap { "0", "1", "2" },
1397 Values { "Unknown", "IPv4", "IPv6" },
1398 ModelCorrespondence {"CIM_AutostartIKESetting.SourceAddress",
1399 "CIM_AutostartIKESetting.DestinationAddress"}]
1400 uint16 AddressType;
1401 [Description (
1402 "The dotted-decimal or colon-decimal formatted IP address "
1403 "used as the source address in comparing with policy "
1404 "filter entries and used in any phase 2 negotiations."),
1405 ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]
1406 string SourceAddress;
1407 [Description (
1408 mike 1.2 "The port number used as the source port in comparing "
1409 "with policy filter entries and used in any phase "
1410 "2 negotiations.")]
1411 uint16 SourcePort;
1412 [Description (
1413 "The dotted-decimal or colon-decimal formatted IP address "
1414 "used as the destination address in comparing with policy "
1415 "filter entries and used in any phase 2 negotiations."),
1416 ModelCorrespondence {"CIM_AutostartIKESetting.AddressType"}]
1417 string DestinationAddress;
1418 [Description (
1419 "The port number used as the destination port in comparing "
1420 "with policy filter entries and used in any phase 2 "
1421 "negotiations.")]
1422 uint16 DestinationPort;
1423 [Description (
1424 "The protocol number used in comparing with policy filter "
1425 "entries and used in any phase 2 negotiations.")]
1426 uint8 Protocol;
1427 };
1428
1429 mike 1.2
1430 /////////////////////////////////////////////////////////////////////
1431 //*******************************************************************
1432 // Associations
1433 //*******************************************************************
1434 /////////////////////////////////////////////////////////////////////
1435
1436 // ==================================================================
1437 // SAConditionInRule
1438 // ==================================================================
1439 [ Association, Aggregation, Description (
1440 "SAConditionInRule aggregates an SARule with the set of "
1441 "SACondition instances that trigger it.") ]
1442
1443 class CIM_SAConditionInRule : CIM_PolicyConditionInPolicyRule
1444 {
1445 [Aggregate, Override ("GroupComponent"), Description (
1446 "An SARule subclass of PolicyRule." ) ]
1447 CIM_SARule REF GroupComponent;
1448
1449 [Override ("PartComponent"), Min(1), Description (
1450 mike 1.2 "An SACondition subclass of PolicyCondition. " ) ]
1451 CIM_SACondition REF PartComponent;
1452 };
1453
1454 // ==================================================================
1455 // FilterOfSACondition
1456 // ==================================================================
1457 [ Association, Description (
1458 "FilterOfSACondition associates a network traffic "
1459 "specification (FilterList) with a SARule's SACondition." ) ]
1460
1461 class CIM_FilterOfSACondition : CIM_Dependency
1462 {
1463 [Override ("Antecedent"), Min(1), Max(1), Description (
1464 "A FilterList describes the traffic that will specify the "
1465 "traffic to be filtered that is part of the SACondition of "
1466 "a policy rule. " ) ]
1467 CIM_FilterList REF Antecedent;
1468
1469 [Override ("Dependent"), Description (
1470 "This is the SACondition that uses this FilterList to form "
1471 mike 1.2 "a policy rule. " ) ]
1472 CIM_SACondition REF Dependent;
1473 };
1474
1475 // ==================================================================
1476 // AcceptCredentialsFrom
1477 // ==================================================================
1478 [Association, Description (
1479 "This is used to specify which credential management service "
1480 "(e.g., a CertificateAuthority or a Kerberos service) is to "
1481 "be trusted to certify peer credentials. This is used to "
1482 "validate that the credential being matched in the "
1483 "CredentialFilterEntry is a valid credential that has been "
1484 "supplied by an approved CredentialManagementService. " ) ]
1485
1486 class CIM_AcceptCredentialsFrom : CIM_Dependency
1487 {
1488 [Override ("Antecedent"),
1489 Description ("The CredentialManagementService that is issuing "
1490 "the credential to be used in the SACondition. " ) ]
1491 CIM_CredentialManagementService REF Antecedent;
1492 mike 1.2
1493 [Override ("Dependent"),
1494 Description ("SACondition that contains the credential. " ) ]
1495 CIM_SACondition REF Dependent;
1496 };
1497
1498 // ==================================================================
1499 // SAActionInRule
1500 // ==================================================================
1501 [Association, Aggregation, Description (
1502 "SAActionInRule aggregates SAActions into SARules In "
1503 "SAActionInRule, the combination of the ActionOrder value and "
1504 "the FallbackOrder value MUST be unique so as to specify a "
1505 "deterministic execution strategy. An ActionOrder value "
1506 "specifies a set of actions to be attempted and the order in "
1507 "which to attempt the set with respect to other ActionOrder "
1508 "sets. The FallbackOrder specifies the order in which to "
1509 "attempt the actions within the set.\n"
1510 "\n"
1511 "For example, {ActionOrder=1,FallbackOrder=1} is the backup "
1512 "action for {ActionOrder=1,FallbackOrder=0} and {ActionOrder=2,"
1513 mike 1.2 "FallbackOrder=1} is the backup action for {ActionOrder=2,"
1514 "FallbackOrder=0}. In this example, {1,0} will be attempted "
1515 "and, if it fails or is otherwise inappropriate, {1,1} is then "
1516 "attempted. Regardless of which of these, if any, succeeds, "
1517 "{2,0} is then attempted, and so on.\n"
1518 "\n"
1519 "In an initiator role, if there is more than one action in the "
1520 "rule, the ActionOrder identified sets are executed as described "
1521 "above using the FallbackOrder to determin ethe order in which "
1522 "to attempt actions within a set, i.e., the additional actions "
1523 "with the same ActionOrder value are 'backup' actions in the "
1524 "event that the first action is not able to be completed "
1525 "successfully. Within each ActionOrder identified set. they are "
1526 "tried in the FallbackOrder until the list is exhausted or one "
1527 "completes successfully.\n"
1528 "\n"
1529 "In a responder role, it is an error to have more than one "
1530 "ActionOrder set in the rule however, there may be more than one "
1531 "action each identified by a unique FallbackOrder value. The "
1532 "additional actions provide alternative actions depending on the "
1533 "received proposals. For example, the same rule may be used to "
1534 mike 1.2 "handle aggressive mode and main mode message flows with "
1535 "different actions. The first appropriate action in the list of "
1536 "actions is used by the responder.")]
1537 class CIM_SAActionInRule : CIM_PolicyActionInPolicyRule
1538 {
1539 [Aggregate, Override ("GroupComponent"), Description (
1540 "An SARule that contains one or more SAActions. " ) ]
1541 CIM_SARule REF GroupComponent;
1542
1543 [Override ("PartComponent"), Min(1), Description (
1544 "An SAAction subclass of PolicyAction which is aggregated "
1545 "into this SARule. " ) ]
1546 CIM_SAAction REF PartComponent;
1547 [Override ("ActionOrder"), Description (
1548 "ActionOrder is an unsigned integer that indicates the "
1549 "relative position of this SAAction in the sequence of "
1550 "actions associated with a PolicyRule.\n"
1551 "\n"
1552 "In SAActionInRule, the ActionOrder is used in conjunction "
1553 "with the FallbackOrder to determine the order in which "
1554 "actions are attempted. The ActionOrder value identifies a "
1555 mike 1.2 "set of actions. The combination of the ActionOrder and the "
1556 "FallbackOrder MUST be unique so as to specify a "
1557 "deterministic execution strategy.")]
1558 uint16 ActionOrder;
1559 [Description (
1560 "FallbackOrder is an unsigned integer that indicates the "
1561 "order in which actions in the same ActionOrder-identified "
1562 "set are attempted. The lowest-numbered FallbackOrder within "
1563 "a set is the first attempted, others are used, in order as "
1564 "backups. The combination of the ActionOrder and the "
1565 "FallbackOrder MUST be unique so as to specify a "
1566 "deterministic execution strategy.")]
1567 uint16 FallbackOrder;
1568 };
1569
1570
1571 // ==================================================================
1572 // IPsecPolicyForSystem
1573 // ==================================================================
1574 [Association, Description (
1575 "IPsecPolicyForSystem associates an IPsec policy with a "
1576 mike 1.2 "specific system (e.g., a host or a network device. If an "
1577 "IPProtocolEndpoint of a system does not have an "
1578 "IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the "
1579 "IPsecPolicyForSystem-associated IPsecPolicyGroup is used for "
1580 "that endpoint. " ) ]
1581
1582 class CIM_IPsecPolicyForSystem : CIM_Dependency
1583 {
1584 [Override ("Antecedent"), Description ("A System to which the "
1585 "IPsecPolicyGroup applies. " ) ]
1586 CIM_System REF Antecedent;
1587
1588 [Override ("Dependent"), Min(0), Max(1),
1589 Description ("The IPsecPolicyGroup that is to be used for "
1590 "endpoints that do not have an associated IPsecPolicyGroup.") ]
1591 CIM_IPsecPolicyGroup REF Dependent;
1592 };
1593
1594 // ==================================================================
1595 // IPsecPolicyForEndpoint
1596 // ==================================================================
1597 mike 1.2 [Association, Description (
1598 "IPsecPolicyForEndpoint associates an IPsecPolicyGroup "
1599 "with a specific network interface. If an IPProtocolEndpoint "
1600 "of a system does not have an "
1601 "IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the "
1602 "IPsecPolicyForSystem associated IPsecPolicyGroup is used for "
1603 "that endpoint. " ) ]
1604
1605 class CIM_IPsecPolicyForEndpoint : CIM_Dependency
1606 {
1607 [Override ("Antecedent"), Description (
1608 "The IPProtocolEndpoint that identifies an interface "
1609 "to which the IPsecPolicyGroup applies.") ]
1610 CIM_IPProtocolEndpoint REF Antecedent;
1611
1612 [Override ("Dependent"), Min (0), Max (1), Description (
1613 "IPsecPolicyGroup used for the interface.") ]
1614 CIM_IPsecPolicyGroup REF Dependent;
1615 };
1616
1617 // ==================================================================
1618 mike 1.2 // RuleForIPsecNegotiation
1619 // ==================================================================
1620 [Association, Aggregation, Description (
1621 "RuleForIPsecNegotiation associates an IPsecRule with the "
1622 "IPsecPolicyGroup that contains it. This is used to contain "
1623 "the phase 2 rules to control IKE negotiation. \n\n"
1624 "ContainingGroup is restricted to a cardinality of 1. This "
1625 "means that the IPsecRule instances are not sharable across "
1626 "multiple policy groups. " ) ]
1627
1628 class CIM_RuleForIPsecNegotiation : CIM_PolicyRuleInPolicyGroup
1629 {
1630 [Aggregate, Override ("GroupComponent"), Min(1), Max(1),
1631 Description ("An IPsecPolicyGroup that aggregates a set of "
1632 "policy rules. " ) ]
1633 CIM_IPsecPolicyGroup REF GroupComponent;
1634
1635 [Override ("PartComponent"), Description (
1636 "A policy rule aggregated into a set of policy rules, "
1637 "forming an atomic policy group. " ) ]
1638 CIM_IPsecRule REF PartComponent;
1639 mike 1.2 };
1640
1641
1642 // ==================================================================
1643 // RuleForIKENegotiation
1644 // ==================================================================
1645 [ Association, Aggregation, Description (
1646 "RuleForIKENegotiation associates an IKERule with the "
1647 "IPsecPolicyGroup that contains it. This is used to control "
1648 "phase 1 IKE negotiation. \n\n"
1649 "ContainingGroup is restricted to a cardinality of 1. This "
1650 "means that the IKERule instances are not sharable across "
1651 "multiple policy groups. " ) ]
1652
1653 class CIM_RuleForIKENegotiation : CIM_PolicyRuleInPolicyGroup
1654 {
1655 [Aggregate, Override ("GroupComponent"), Min(1), Max(1),
1656 Description ("An IPsecPolicyGroup that aggregates a set of "
1657 "policy rules. " ) ]
1658 CIM_IPsecPolicyGroup REF GroupComponent;
1659
1660 mike 1.2 [Override ("PartComponent"), Description (
1661 "A policy rule aggregated into a set of policy rules, "
1662 "forming an atomic policy group. " ) ]
1663 CIM_IKERule REF PartComponent;
1664 };
1665
1666 // ==================================================================
1667 // ContainedProposal
1668 // ==================================================================
1669 [Association, Aggregation, Description (
1670 "ContainedProposal holds the ordered list of SA proposals "
1671 "for a SANegotiationAction. " ) ]
1672
1673 class CIM_ContainedProposal: CIM_PolicyComponent
1674 {
1675 [Aggregate, Override ("GroupComponent"), Description (
1676 "SANegotiationAction for this list of proposals. " ) ]
1677 CIM_SANegotiationAction REF GroupComponent;
1678
1679 [Override ("PartComponent"), Description (
1680 "SAProposal in this action. " ) ]
1681 mike 1.2 CIM_SAProposal REF PartComponent;
1682
1683 [Description (
1684 "SequenceNumber indicates the ordering to be used when "
1685 "chosing from among the proposals; lower values are "
1686 "preferred by the sender. " ) ]
1687 uint16 SequenceNumber;
1688 };
1689
1690 // ==================================================================
1691 // FilterOfSecurityAssociation
1692 // ==================================================================
1693 [Association, Description (
1694 "FilterOfSecurityAssociation associates a network traffic "
1695 "specification (i.e., a FilterList) with a set of "
1696 "SecurityAssociations to which the filter list applies. " ) ]
1697
1698 class CIM_FilterOfSecurityAssociation : CIM_Dependency
1699 {
1700 [Override ("Antecedent"), Min(1), Max(1), Description (
1701 "FilterList describing the traffic to be matched against. " ) ]
1702 mike 1.2 CIM_FilterList REF Antecedent;
1703
1704 [Override ("Dependent"), Description ("SecurityAssociation "
1705 "using the FilterList for its selector. " ) ]
1706 CIM_SecurityAssociation REF Dependent;
1707 };
1708
1709 // ==================================================================
1710 // IKEUsesCredentialManagementService
1711 // ==================================================================
1712 [Association, Description (
1713 "IKEUsesCredentialManagementService defines the set of "
1714 "CredentialManagementService(s) that are trusted sources "
1715 "of credentials for IKE phase 1 negotiations. " ) ]
1716
1717 class CIM_IKEUsesCredentialManagementService : CIM_Dependency
1718 {
1719 [Override ("Antecedent"), Description (
1720 "CredentialManagementService trusted for the IKE "
1721 "negotiation.") ]
1722 CIM_CredentialManagementService REF Antecedent;
1723 mike 1.2
1724 [Override ("Dependent"),
1725 Description (
1726 "IKEService that is using the credentials issued by the "
1727 "trusted CredentialManagementService. " ) ]
1728 CIM_IKEService REF Dependent;
1729 };
1730
1731 // ==================================================================
1732 // TransformOfPreconfiguredAction
1733 // ==================================================================
1734 [ Association, Description (
1735 "TransformOfPreconfiguredAction defines the transforms used "
1736 "by a preconfigured IPsec action.") ]
1737
1738 class CIM_TransformOfPreconfiguredAction : CIM_Dependency
1739 {
1740 [Override ("Antecedent"), Min(1), Max(3),
1741 Description (
1742 "This defines the type of transform that the Preconfigured "
1743 "SA Action will be applied to. The cardinality enables an "
1744 mike 1.2 "action to be applied to an AH, an ESP, or an IPCOMP "
1745 "transform. " ) ]
1746 CIM_SATransform REF Antecedent;
1747
1748 [Override ("Dependent"),
1749 Description (
1750 "This defines the Preconfigured IPsec action to be applied "
1751 "to the AH, ESP, or IPCOMP transform. " ) ]
1752 CIM_PreconfiguredSAAction REF Dependent;
1753
1754 [Description (
1755 "The SPI property specifies the security parameter index to "
1756 "be used by the pre-configured action for the associated "
1757 "transform." ) ]
1758 uint32 SPI;
1759 };
1760
1761 // ==================================================================
1762 // SAProposalInSystem
1763 // ==================================================================
1764 [Association, Description (
1765 mike 1.2 "SAProposalInSystem provides the scoping relationship for "
1766 "SAProposals in a System. The SAProposal is weak to the "
1767 "System." ) ]
1768
1769 class CIM_SAProposalInSystem : CIM_PolicyInSystem
1770 {
1771 [Override ("Antecedent"), Min (1), Max (1), Description (
1772 "This property identifies a System scoping one or more "
1773 "proposals.") ]
1774 CIM_System REF Antecedent;
1775
1776 [Override ("Dependent"), Weak, Description (
1777 "An SAProposal that is in the System.")]
1778 CIM_SAProposal REF Dependent;
1779 };
1780
1781 // ==================================================================
1782 // SATransformInSystem
1783 // ==================================================================
1784 [Association, Description (
1785 "SATransformInSystem provides the scoping relationship for "
1786 mike 1.2 "SATRansforms in a System. The SATransform is weak to the "
1787 "System." ) ]
1788
1789 class CIM_SATransformInSystem : CIM_PolicyInSystem
1790 {
1791 [Override ("Antecedent"), Min (1), Max (1), Description (
1792 "This property identifies a System scoping one or more "
1793 "transforms.") ]
1794 CIM_System REF Antecedent;
1795
1796 [Override ("Dependent"), Weak, Description (
1797 "An SATransform that is in the System.")]
1798 CIM_SATransform REF Dependent;
1799 };
1800
1801 // ==================================================================
1802 // HostedPeerIdentityTable
1803 // ==================================================================
1804 [Association, Description ("HostedPeerIdentityTable provides the "
1805 "scoping relationship for PeerIdentityTable entries in a "
1806 "System. The PeerIdentityTable is weak to the System." ) ]
1807 mike 1.2
1808 class CIM_HostedPeerIdentityTable: CIM_Dependency
1809 {
1810 [Override ("Antecedent"), Min (1), Max (1), Description (
1811 "This property identifies a System scoping one or more "
1812 "PeerIdentityTable instances.") ]
1813 CIM_System REF Antecedent;
1814
1815 [Override ("Dependent"), Weak, Description (
1816 "A PeerIdentityTable that is in the System.")]
1817 CIM_PeerIdentityTable REF Dependent;
1818 };
1819
1820 // ==================================================================
1821 // RuleThatGeneratedSA
1822 // ==================================================================
1823 [Association, Description (
1824 "RuleThatGeneratedSA associates a SecurityAssociation with "
1825 "the rule used to generate (or negotiate) it.") ]
1826
1827 class CIM_RuleThatGeneratedSA : CIM_Dependency
1828 mike 1.2 {
1829 [Override ("Antecedent"), Min (0), Max (1),
1830 Description ("SARule that led to the SecurityAssociation.") ]
1831 CIM_SARule REF Antecedent;
1832
1833 [Override ("Dependent"),
1834 Description ("SecurityAssociation created using the rule.") ]
1835 CIM_SecurityAssociation REF Dependent;
1836 };
1837
1838 // ==================================================================
1839 // TransformOfSecurityAssociation
1840 // ==================================================================
1841 [Association, Description (
1842 "TransformOfSecurityAssociation maps an SA with the transform "
1843 "it uses. For security reasons, no keying material of the SA "
1844 "is exposed." ) ]
1845
1846 class CIM_TransformOfSecurityAssociation : CIM_Dependency
1847 {
1848 [Override ("Antecedent"), Min (1), Max (1),
1849 mike 1.2 Description ("Transform of this SA.") ]
1850 CIM_SATransform REF Antecedent;
1851
1852 [Override ("Dependent"),
1853 Description ("Security association.") ]
1854 CIM_IPsecSecurityAssociation REF Dependent;
1855 };
1856
1857 // ==================================================================
1858 // PeerGatewayOfSecurityAssociation
1859 // ==================================================================
1860 [Association, Description (
1861 "PeerGatewayOfSecurityAssociation identifies the PeerGateway "
1862 "of an SA that has a security gateway as the peer.") ]
1863
1864 class CIM_PeerGatewayOfSecurityAssociation : CIM_Dependency
1865 {
1866 [Override ("Antecedent"), Max (1),
1867 Description ("PeerGateway for the SA.") ]
1868 CIM_PeerGateway REF Antecedent;
1869
1870 mike 1.2 [Override ("Dependent"),
1871 Description ("Security association with the PeerGateway.") ]
1872 CIM_IPsecSecurityAssociation REF Dependent;
1873 };
1874
1875 // ==================================================================
1876 // IKEServicePeerGateway
1877 // ==================================================================
1878 [Association, Description (
1879 "IKEServicePeerGateway provides the relationship between an "
1880 "IKEService and the list of PeerGateway instances that it "
1881 "uses in negotiating with security gateways.") ]
1882
1883 class CIM_IKEServicePeerGateway : CIM_Dependency
1884 {
1885 [Override ("Antecedent"),
1886 Description ("The PeerGateway") ]
1887 CIM_PeerGateway REF Antecedent;
1888
1889 [Override ("Dependent"), Description (
1890 "The IKEService that uses information about the "
1891 mike 1.2 "peer gateway.") ]
1892 CIM_IKEService REF Dependent;
1893 };
1894
1895 // ==================================================================
1896 // IKEServiceForEndpoint
1897 // ==================================================================
1898 [Association, Description (
1899 "IKEServiceForEndpoint provides the relationship "
1900 "showing which IKE service, if any, provides IKE "
1901 "negotiation services for which network interfaces.") ]
1902
1903 class CIM_IKEServiceForEndpoint : CIM_Dependency
1904 {
1905 [Override ("Antecedent"), Max (1),
1906 Description ("The IKEService that performs IKE negotiation "
1907 "for the IPProtocolEndpoint.") ]
1908 CIM_IKEService REF Antecedent;
1909
1910 [Override ("Dependent"),
1911 Description ("IPProtocolEndpoint for which services are "
1912 mike 1.2 "provided.") ]
1913 CIM_IPProtocolEndpoint REF Dependent;
1914 };
1915
1916 // ==================================================================
1917 // IKEServicePeerIdentityTable
1918 // ==================================================================
1919 [Association, Description (
1920 "IKEServicePeerIdentityTable provides the relationship "
1921 "between an IKEService and a PeerIdentityTable that it "
1922 "uses to map between addresses and identities where "
1923 "required.") ]
1924
1925 class CIM_IKEServicePeerIdentityTable: CIM_Dependency
1926 {
1927 [Override ("Antecedent"),
1928 Description ("The PeerIdentityTable.") ]
1929 CIM_PeerIdentityTable REF Antecedent;
1930
1931 [Override ("Dependent"),
1932 Description ("The IKEService that uses the table.") ]
1933 mike 1.2 CIM_IKEService REF Dependent;
1934 };
1935
1936 // ==================================================================
1937 // IKESAUsedForPhase2
1938 // ==================================================================
1939 [Association, Description (
1940 "IKESAUsedForPhase2 associates a phase 1 "
1941 "IKESecurityAssociation with an "
1942 "IPsecSecurityAssociation that was negotiated using "
1943 "that Phase 1 SA.") ]
1944
1945 class CIM_IKESAUsedForPhase2 : CIM_Dependency
1946 {
1947 [Override ("Antecedent"), Max (1), Description (
1948 "Phase 1 SA that protected the negotiation of "
1949 "the Phase 2 SA.") ]
1950 CIM_IKESecurityAssociation REF Antecedent;
1951
1952 [Override ("Dependent"), Description (
1953 "Phase 2 SA.") ]
1954 mike 1.2 CIM_IPsecSecurityAssociation REF Dependent;
1955 };
1956
1957 // ==================================================================
1958 // PeerCredential
1959 // ==================================================================
1960 [Association, Description (
1961 "PeerCredential is an association that identifies the "
1962 "credential of the peer corresponding to an IKE SA.") ]
1963
1964 class CIM_PeerCredential : CIM_Dependency
1965 {
1966 [Override ("Antecedent"), Max (1),
1967 Description ("Credential of the peer.") ]
1968 CIM_Credential REF Antecedent;
1969
1970 [Override ("Dependent"),
1971 Description ("Phase 1 SA for this peer.") ]
1972 CIM_IKESecurityAssociation REF Dependent;
1973 };
1974
1975 mike 1.2 // ==================================================================
1976 // IPProtocolEndpointsProtectionSuite
1977 // ==================================================================
1978 [Association, Description (
1979 "IPProtocolEndpointsProtectionSuite provides the "
1980 "relationship between an IPsecProtectionSuite and the scoping "
1981 "IPProtocolEndpoint for which the set of related SAs provide "
1982 "traffic protection. The IPsecProtectionSuite is weak to its "
1983 "IPProtocolEndpoint.") ]
1984
1985 class CIM_IPProtocolEndpointsProtectionSuite: CIM_Dependency
1986 {
1987 [Override ("Antecedent"), Min (1), Max (1),
1988 Description (
1989 "An IPProtocolEndpoint for which protection is provided.") ]
1990 CIM_IPProtocolEndpoint REF Antecedent;
1991
1992 [Override ("Dependent"), Weak, Description (
1993 "A protection suite.") ]
1994 CIM_IPsecProtectionSuite REF Dependent;
1995 };
1996 mike 1.2
1997 // ==================================================================
1998 // SecurityAssociationBindsTo
1999 // ==================================================================
2000 [Association, Description (
2001 "SecurityAssociationBindsTo associates an IPProtocolEndpoint "
2002 "with an active SecurityAssociation on that endpoint.") ]
2003
2004 class CIM_SecurityAssociationBindsTo : CIM_BindsTo
2005 {
2006 [Override ("Antecedent"), Min (1), Max (1),
2007 Description (
2008 "IPProtocolEndpoint representing the network "
2009 "interface on which an SA is active." ) ]
2010 CIM_IPProtocolEndpoint REF Antecedent;
2011
2012 [Override ("Dependent"), Description (
2013 "Security association on the endpoint." ) ]
2014 CIM_SecurityAssociation REF Dependent;
2015 };
2016
2017 mike 1.2 // ==================================================================
2018 // ProvidesSA
2019 // ==================================================================
2020 [Association, Description (
2021 "ProvidesSA represents the relationship between an "
2022 "IKEService that provides the negotiation functions "
2023 "and manages the associated security association." ) ]
2024
2025 class CIM_ProvidesSA: CIM_ProvidesEndpoint
2026 {
2027 [Override ("Antecedent"), Max (1), Description (
2028 "The IKEService that provides the SA.")]
2029 CIM_IKEService REF Antecedent;
2030
2031 [Override ("Dependent"), Description (
2032 "Security association provided by the service.") ]
2033 CIM_SecurityAssociation REF Dependent;
2034 };
2035
2036 // ==================================================================
2037 // IKEIdentitysCredential
2038 mike 1.2 // ==================================================================
2039 [Association, Description (
2040 "IKEIdentitysCredential is an association that "
2041 "relates a set of credentials to their "
2042 "corresponding local IKE Identities." ) ]
2043
2044 class CIM_IKEIdentitysCredential : CIM_UsersCredential
2045 {
2046 [Override ("Antecedent"), Description (
2047 "Credential of the Identity.") ]
2048 CIM_Credential REF Antecedent;
2049
2050 [Override ("Dependent"), Description (
2051 "Identity associated with the credential.") ]
2052 CIM_IKEIdentity REF Dependent;
2053 };
2054
2055 // ==================================================================
2056 // EndpointHasLocalIKEIdentity
2057 // ==================================================================
2058 [Association, Description (
2059 mike 1.2 "EndpointHasLocalIKEIdentity associates an "
2060 "IPProtocolEndpoint with a set of IKE "
2061 "Identities for that may be used in negotiating "
2062 "SAs on the endpoint. " ) ]
2063
2064 class CIM_EndpointHasLocalIKEIdentity : CIM_ElementAsUser
2065 {
2066 [Override ("Antecedent"), Max (1), Description (
2067 "IPProtocolEndpoint that has an IKE identity.") ]
2068 CIM_IPProtocolEndpoint REF Antecedent;
2069
2070 [Override ("Dependent"), Description (
2071 "An IKE Identity for the endpoint.") ]
2072 CIM_IKEIdentity REF Dependent;
2073 };
2074
2075 // ==================================================================
2076 // CollectionHasLocalIKEIdentity
2077 // ==================================================================
2078 [Association, Description (
2079 "CollectionHasLocalIKEIdentity associates a Collection "
2080 mike 1.2 "of IPProtocolEndpoints with a set of IKE Identities "
2081 "that may be used in negotiating SAs for "
2082 "these endpoints.") ]
2083
2084 class CIM_CollectionHasLocalIKEIdentity : CIM_ElementAsUser
2085 {
2086 [Override ("Antecedent"), Max (1), Description (
2087 "Collection that has an Identity.") ]
2088 CIM_Collection REF Antecedent;
2089
2090 [Override ("Dependent"), Description (
2091 "IKE Identity used for the Collection.") ]
2092 CIM_IKEIdentity REF Dependent;
2093 };
2094
2095 // ==================================================================
2096 // ContainedTransform
2097 // ==================================================================
2098 [Association, Aggregation, Description (
2099 "ContainedTransform associates a proposal with its set "
2100 "of transforms. If multiple transforms of a given type are "
2101 mike 1.2 "in a given proposal, these transforms are interpreted as "
2102 "alternatives -- logically ORed with each other. Sets of "
2103 "transforms of different types are logically ANDed. For "
2104 "example, a proposal aggregating two AH transforms and three "
2105 "ESP transforms means one of the AH transforms must be chosen "
2106 "AND one of the ESP transforms must be chosen.") ]
2107
2108 class CIM_ContainedTransform : CIM_PolicyComponent
2109 {
2110 [Aggregate, Override ("GroupComponent"), Description (
2111 "Proposal containing transforms.") ]
2112 CIM_IPsecProposal REF GroupComponent;
2113
2114 [Override ("PartComponent"), Min (1), Description (
2115 "Transforms in the proposal.") ]
2116 CIM_SATransform REF PartComponent;
2117
2118 [Description (
2119 "SequenceNumber indicates the ordering to be used when "
2120 "choosing from among the transforms; lower values are "
2121 "preferred by the sender.")]
2122 mike 1.2 uint16 SequenceNumber;
2123 };
2124
2125 // ==================================================================
2126 // ContainedSA
2127 // ==================================================================
2128 [Association, Aggregation, Description (
2129 "ContainedSA associates a protection suite with its member "
2130 "IPsec security associations. Security associations are "
2131 "contained in sending/receiving pairs and there may be any or "
2132 "all of an AH pair, ESP pair or an IPCOMP pair of SAs.") ]
2133
2134 class CIM_ContainedSA : CIM_MemberOfCollection
2135 {
2136 [Aggregate, Override ("Collection"), Min (1), Max (1),
2137 Description (
2138 "Protection suite.") ]
2139 CIM_IPsecProtectionSuite REF Collection;
2140
2141 [Override ("Member"), Min (2), Max (6), Description (
2142 "Contained SAs.") ]
2143 mike 1.2 CIM_IPsecSecurityAssociation REF Member;
2144 };
2145
2146 // ==================================================================
2147 // PeerIdentityMember
2148 // ==================================================================
2149 [Association, Aggregation, Description (
2150 "PeerIdentityMember aggregates PeerIdentityEntry "
2151 "instances into a PeerIdentityTable. This is a "
2152 "weak aggregation.") ]
2153
2154 class CIM_PeerIdentityMember : CIM_MemberOfCollection
2155 {
2156 [Aggregate, Override ("Collection"), Min (1), Max (1),
2157 Description (
2158 "Aggregating PeerIdentityTable.") ]
2159 CIM_PeerIdentityTable REF Collection;
2160
2161 [Override ("Member"), Weak, Description (
2162 "Table entry") ]
2163 CIM_PeerIdentityEntry REF Member;
2164 mike 1.2 };
2165
2166 // ==================================================================
2167 // PeerGatewayForTunnel
2168 // ==================================================================
2169 [Association, Description (
2170 "PeerGatewayForTunnel identifies the PeerGateway to be used "
2171 "in constructing a tunnel. " ) ]
2172
2173 class CIM_PeerGatewayForTunnel : CIM_Dependency
2174 {
2175 [Override ("Antecedent"), Description (
2176 "PeerGateway for the SA. " ) ]
2177 CIM_PeerGateway REF Antecedent;
2178
2179 [Override ("Dependent"), Description (
2180 "IPsecTunnelAction that requires a PeerGateway. " ) ]
2181 CIM_IPsecTunnelAction REF Dependent;
2182
2183 [Description ("SequenceNumber indicates the ordering to be "
2184 "used when selecting a PeerGateway instance for an "
2185 mike 1.2 "IPsecTunnelAction. Lower values are "
2186 "evaluated first. " ) ]
2187 uint16 SequenceNumber;
2188 };
2189
2190 // ==================================================================
2191 // PeerGatewayForPreconfiguredTunnel
2192 // ==================================================================
2193 [Association, Description (
2194 "PeerGatewayForPreconfiguredTunnel identifies the PeerGateway "
2195 "to be used in constructing a preconfigured tunnel. " ) ]
2196
2197 class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency
2198 {
2199 [Override ("Antecedent"), Max (1), Description (
2200 "PeerGateway for the preconfigured SA. " ) ]
2201 CIM_PeerGateway REF Antecedent;
2202
2203 [Override ("Dependent"), Description (
2204 "PreconfiguredTunnelAction that requires a PeerGateway. " ) ]
2205 CIM_PreconfiguredTunnelAction REF Dependent;
2206 mike 1.2 };
2207
2208 // ==================================================================
2209 // HostedPeerGatewayInformation
2210 // ==================================================================
2211 [Association, Description (
2212 "HostedPeerGatewayInformation provides the scoping "
2213 "association for PeerGateway information used by IKE "
2214 "services to identify PeerGateways used in a policy." ) ]
2215
2216 class CIM_HostedPeerGatewayInformation : CIM_Dependency
2217 {
2218 [Override ("Antecedent"), Min (1), Max (1),
2219 Description (
2220 "Scoping System.") ]
2221 CIM_System REF Antecedent;
2222
2223 [Override ("Dependent"), Weak, Description (
2224 "PeerGateway.") ]
2225 CIM_PeerGateway REF Dependent;
2226 };
2227 mike 1.2 //
2228
2229 // ==================================================================
2230 // IKEAutostartConfiguration
2231 // ==================================================================
2232 [Association, Description ("IKEAutostartConfiguration "
2233 "provides the relationship between an IKEService and a "
2234 "configuration set that it uses to automatically start a set "
2235 "of SAs.")]
2236 class CIM_IKEAutostartConfiguration: CIM_Dependency
2237 {
2238 [Override ("Antecedent"),
2239 Description ("The configuration used.") ]
2240 CIM_AutostartIKEConfiguration REF Antecedent;
2241 [Override ("Dependent"),
2242 Description ("The IKEService that uses the configuration.") ]
2243 CIM_IKEService REF Dependent;
2244 [Description ("Active indicates whether the configuration set "
2245 "is currently active for the associated IKEService. That is, "
2246 "at boot time, the active configuration is used to autostart "
2247 "IKE negotitations and create static SAs as appropriate.")]
2248 mike 1.2 boolean Active;
2249 };
2250
2251 // ==================================================================
2252 // IKEAutostartSetting
2253 // ==================================================================
2254 [Association, Description ("IKEAutostartSetting associates an "
2255 "IKEService and an AutostartIKESetting that it uses to "
2256 "automatically start negotiating one or more SAs.") ]
2257 class CIM_IKEAutostartSetting : CIM_ElementSetting
2258 {
2259 [Override ("Element"),
2260 Description ("IKEService that uses the setting.") ]
2261 CIM_IKEService REF Element;
2262
2263 [Override ("Setting"), Description ("Setting that tells the "
2264 "IKEService what to negotiate.") ]
2265 CIM_AutostartIKESetting REF Setting;
2266 };
2267
2268 // ==================================================================
2269 mike 1.2 // AutostartIKESettingContext
2270 // ==================================================================
2271 [Association, Aggregation, Description (
2272 "AutostartIKESettingContext aggregates the settings used to "
2273 "autostart SA negotiations into a configuration set.") ]
2274 class CIM_AutostartIKESettingContext : CIM_SystemSettingContext
2275 {
2276 [Aggregate, Override ("Context"),
2277 Description ("A configuration set.") ]
2278 CIM_AutostartIKEConfiguration REF Context;
2279
2280 [Override ("Setting"), Description ("A setting that is part "
2281 "of the configuration set.") ]
2282 CIM_AutostartIKESetting REF Setting;
2283 [Description ("SequenceNumber indicates the ordering to be "
2284 "used when starting negotiations or creating a static SA. "
2285 "A zero value indicates that order is not significant and "
2286 "settings may be applied in parallel with other settings. "
2287 "All other settings in the configuration are executed in "
2288 "sequence from lower values to high. Sequence numbers need "
2289 "not be unique in an AutostartIKEConfiguration and order is "
2290 mike 1.2 "not significant for settings with the same sequence number.")]
2291 uint16 SequenceNumber;
2292 };
2293
2294
2295 // ===================================================================
2296 // end of file
2297 // ===================================================================
|