1 tony 1.1 // ===================================================================
2 // Title: IPsec Policy 2.8
3 // Filename: IPsecPolicy.mof
4 // Version: 2.8
5 // Status: Final
6 // Date: Jan 26, 2004
7 // ===================================================================
8 // Copyright 1998-2004 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: This file defines the classes to negotiate
45 // an IPsec security association.
46 //
47 // The object classes below are listed in an order that
48 // avoids forward references. Required objects, defined
49 // by other working groups, are omitted.
50 // ==================================================================
51 // This model was originally introduced in CIM V2.6 Preliminary and
52 // was not promoted to Final status. The following CR updates the
53 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
54 // Working Group.
55 //
56 // Change Log for v2.8 Preliminary
57 // CR1026 - Modifications to the V2.6 MOF for IPsec management
58 // CR1105 - Generalize the SACondition class to be FilterCondition
59 // & move the classes to the Policy model.
60 // Generalize SAConditionInRule to be PacketConditionInSARule.
61 // Change Log for v2.8 Final
62 //
63 // ===================================================================
64 tony 1.1
65 #pragma Locale ("en_US")
66
67 // ==================================================================
68 // Compile prerequisite: Core, Policy and Network MOFs
69 // ==================================================================
70
71
72 // ==================================================================
73 // IPsec Negotiation Policy Rules
74 // ==================================================================
75
76 // ==================================================================
77 // SARule
78 // ==================================================================
79 [Version ( "2.8.0" ), Description (
80 "SARule is a base class for defining IKE and IPsec Rules. "
81 "Although concrete (because it subclasses from a concrete "
82 "class), it is not intended to be instantiated. It defines a "
83 "common connection point for associating conditions and actions "
84 "for both types of rules. Note that each valid PolicyGroup "
85 tony 1.1 "containing SARules MUST use a unique priority number for the "
86 "Rule in the aggregation, PolicySetComponent.Priority."),
87 MappingStrings { "IPSP Policy Model.IETF|SARule" }]
88 class CIM_SARule : CIM_PolicyRule {
89
90 [Description (
91 "LimitNegotiation is used as part of processing either a key "
92 "exchange or IPsec Rule. Before proceeding with either a "
93 "phase 1 or a phase 2 negotiation, this property is checked "
94 "to determine if the negotiation role of the Rule matches "
95 "that defined for the negotiation being undertaken (e.g., "
96 "Initiator, Responder, or Both). If this check fails, then "
97 "the negotiation is stopped. Note that this only applies to "
98 "new negotiations and has no effect on either renegotiation "
99 "or refresh operations with peers for which an established "
100 "Security Association already exists."),
101 ValueMap { "1", "2", "3" },
102 Values { "Initiator-Only", "Responder-Only", "Either" },
103 MappingStrings { "IPSP Policy "
104 "Model.IETF|SARule.LimitNegotiation" }]
105 uint16 LimitNegotiation;
106 tony 1.1 };
107
108
109 // ==================================================================
110 // RuleThatGeneratedSA
111 // ==================================================================
112 [Association, Version ( "2.8.0" ), Description (
113 "RuleThatGeneratedSA associates a SecurityAssociationEndpoint "
114 "with the SARule used to generate (or negotiate) it.")]
115 class CIM_RuleThatGeneratedSA : CIM_Dependency {
116
117 [Override ( "Antecedent" ), Min ( 0 ), Max ( 1 ), Description (
118 "SARule that led to the Security Association.")]
119 CIM_SARule REF Antecedent;
120
121 [Override ( "Dependent" ), Description (
122 "SecurityAssociationEndpoint created using the rule.")]
123 CIM_SecurityAssociationEndpoint REF Dependent;
124 };
125
126
127 tony 1.1 // ==================================================================
128 // IKERule
129 // ==================================================================
130 [Version ( "2.8.0" ), Description (
131 "IKERule contains the Conditions and Actions for IKE phase 1 "
132 "negotiations or to specify static actions such as Discard."),
133 MappingStrings { "IPSP Policy Model.IETF|IKERule" }]
134 class CIM_IKERule : CIM_SARule {
135
136 [Description (
137 "An IP endpoint may have multiple identities for use in "
138 "different situations. The IdentityContext property "
139 "specifies the specific context/identities which pertain to "
140 "this Rule. The property's function is similar to that of "
141 "PolicyRoles. A context may be a VPN name or other "
142 "identifier that selects the appropriate identity. \n"
143 "\n"
144 "IdentityContext is an array of strings. The multiple values "
145 "in the array are logically ORed together in matching an "
146 "IPNetworkIdentity's IdentityContext. Each value in the "
147 "array may be a composition of multiple context names. When "
148 tony 1.1 "an array value is a composition, the individual values are "
149 "logically ANDed together for evaluation purposes. The "
150 "syntax is: \n"
151 "<ContextName>[&&<ContextName>]* \n"
152 "where the individual context names appear in alphabetical "
153 "order (according to the collating sequence for UCS-2). So, "
154 "for example, the values 'CompanyXVPN', "
155 "'CompanyYVPN&&TopSecret', 'CompanyZVPN&&Confidential' are "
156 "possible contexts for a Rule. They are matched against an "
157 "IPNetworkIdentity's IdentityContext. Any of the values may "
158 "indicate a match and select an Identity, since the values "
159 "in the array are logically ORed."),
160 MappingStrings { "IPSP Policy "
161 "Model.IETF|IKERule.IdentityContexts" },
162 ModelCorrespondence { "CIM_IdentityContext" }]
163 string IdentityContexts[];
164 };
165
166
167 // ==================================================================
168 // IPsecRule
169 tony 1.1 // ==================================================================
170 [Version ( "2.8.0" ), Description (
171 "IPsecRule contains the Conditions and Actions for phase 2 "
172 "negotiations or to specify static actions such as Discard."),
173 MappingStrings { "IPSP Policy Model.IETF|IPsecRule" }]
174 class CIM_IPsecRule : CIM_SARule {
175 };
176
177
178 // ==================================================================
179 // IPsecPolicyForSystem
180 // ==================================================================
181 [Association, Version ( "2.8.0" ), Description (
182 "IPsecPolicyForSystem associates a PolicyGroup with a specific "
183 "system (e.g., a host or a network device) - indicating that "
184 "this is the 'default' IPsec policy for that system. The "
185 "referenced PolicyGroup would be used for any "
186 "IPProtocolEndpoint's IPsec negotiations, UNLESS the "
187 "IPsecPolicyForEndpoint association is defined. "
188 "IPsecPolicyForEndpoint indicates a more specific PolicyGroup "
189 "for IPsec negotiations for the endpoint."),
190 tony 1.1 MappingStrings { "IPSP Policy Model.IETF|IPsecPolicyForSystem" }]
191 class CIM_IPsecPolicyForSystem : CIM_Dependency {
192
193 [Override ( "Antecedent" ), Description (
194 "A System to which the PolicyGroup applies."),
195 MappingStrings { "IPSP Policy "
196 "Model.IETF|IPsecPolicyForSystem.Antecedent" }]
197 CIM_System REF Antecedent;
198
199 [Override ( "Dependent" ), Min ( 0 ), Max ( 1 ), Description (
200 "The PolicyGroup that defines the 'default' IPsec "
201 "negotiation policy for the System."),
202 MappingStrings { "IPSP Policy "
203 "Model.IETF|IPsecPolicyForSystem.Dependent" }]
204 CIM_PolicyGroup REF Dependent;
205 };
206
207
208 // ==================================================================
209 // IPsecPolicyForEndpoint
210 // ==================================================================
211 tony 1.1 [Association, Version ( "2.8.0" ), Description (
212 "IPsecPolicyForEndpoint associates a PolicyGroup with a "
213 "specific IP endpoint. This association's policies take "
214 "priority over any PolicyGroup defined generically for the "
215 "hosting system. The latter is defined using the "
216 "IPsecPolicyForSystem association."),
217 MappingStrings { "IPSP Policy Model.IETF|IPsecPolicyForEndpoint" }]
218 class CIM_IPsecPolicyForEndpoint : CIM_Dependency {
219
220 [Override ( "Antecedent" ), Description (
221 "The IPProtocolEndpoint that identifies an interface to "
222 "which the PolicyGroup applies."),
223 MappingStrings { "IPSP Policy "
224 "Model.IETF|IPsecPolicyForEndpoint.Antecedent" }]
225 CIM_IPProtocolEndpoint REF Antecedent;
226
227 [Override ( "Dependent" ), Min ( 0 ), Max ( 1 ), Description (
228 "The PolicyGroup that defines the IPsec negotiation policy "
229 "for the Endpoint."),
230 MappingStrings { "IPSP Policy "
231 "Model.IETF|IPsecPolicyForEndpoint.Dependent" }]
232 tony 1.1 CIM_PolicyGroup REF Dependent;
233 };
234
235
236 // ==================================================================
237 // IPsec Negotiation Policy Conditions
238 // ==================================================================
239
240 // ==================================================================
241 // PacketConditionInSARule
242 // ==================================================================
243 [Association, Aggregation, Version ( "2.8.0" ), Description (
244 "PacketConditionInSARule aggregates an SARule with at least one "
245 "instance of PacketFilterCondition. This is a specialization of "
246 "the PolicyConditionInPolicyRule association."),
247 MappingStrings { "IPSP Policy Model.IETF|SAConditionInRule" }]
248 class CIM_PacketConditionInSARule : CIM_PolicyConditionInPolicyRule {
249
250 [Aggregate, Override ( "GroupComponent" ), Description (
251 "An SARule subclass of PolicyRule."),
252 MappingStrings { "IPSP Policy "
253 tony 1.1 "Model.IETF|SAConditionInRule.GroupComponent" }]
254 CIM_SARule REF GroupComponent;
255
256 [Override ( "PartComponent" ), Min ( 1 ), Description (
257 "An SACondition that is required for the SARule."),
258 MappingStrings { "IPSP Policy "
259 "Model.IETF|SAConditionInRule.PartComponent" }]
260 CIM_PacketFilterCondition REF PartComponent;
261 };
262
263
264 // ==================================================================
265 // IPsec Negotiation Policy Actions - Static and Negotiated
266 // ==================================================================
267
268 // ==================================================================
269 // SAAction
270 // ==================================================================
271 [Abstract, Version ( "2.8.0" ), Description (
272 "SAAction is the base class for the various types of key "
273 "exchange or IPsec actions. It is abstract and used to "
274 tony 1.1 "categorize the different types of actions of SARules."),
275 MappingStrings { "IPSP Policy Model.IETF|SAAction" }]
276 class CIM_SAAction : CIM_PolicyAction {
277
278 [Description (
279 "DoPacketLogging causes a log message to be generated when "
280 "the action is applied to a packet."),
281 MappingStrings { "IPSP Policy "
282 "Model.IETF|SAAction.DoPacketLogging" },
283 ModelCorrespondence {
284 "CIM_SecurityAssociationEndpoint.PacketLoggingActive" }]
285 boolean DoPacketLogging;
286 };
287
288
289 // ==================================================================
290 // SAStaticAction
291 // ==================================================================
292 [Version ( "2.8.0" ), Description (
293 "SAStaticAction is the base class for both key exchange as well "
294 "as IPsec actions that require no negotiation. It is a concrete "
295 tony 1.1 "class that can be aggregated with other subclasses of "
296 "PolicyAction (such as NetworkPacketAction) into a PolicyRule, "
297 "to describe how packets are handled throughout the lifetime of "
298 "the Security Association."),
299 MappingStrings { "IPSP Policy Model.IETF|SAStaticAction" }]
300 class CIM_SAStaticAction : CIM_SAAction {
301
302 [Description (
303 "LifetimeSeconds specifies how long the SA created from this "
304 "action should be used/exist. A value of 0 means an infinite "
305 "lifetime. A non-zero value is typically used in conjunction "
306 "with alternate SAActions performed when there is a "
307 "negotiation failure of some sort. \n"
308 "\n"
309 "Note: If the referenced SAStaticAction object IS-A "
310 "PreconfiguredSAAction (that is associated to several "
311 "SATransforms), then the actual lifetime of the Security "
312 "Association will be the lesser of the value of this "
313 "LifetimeSeconds property and of the value of the "
314 "MaxLifetimeSeconds property of the associated SATransform."),
315 Units ( "Seconds" ),
316 tony 1.1 MappingStrings { "IPSP Policy "
317 "Model.IETF|SAStaticAction.LifetimeSeconds" },
318 ModelCorrespondence {
319 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
320 uint64 LifetimeSeconds;
321 };
322
323
324 // ==================================================================
325 // PreconfiguredSAAction
326 // ==================================================================
327 [Version ( "2.8.0" ), Description (
328 "Subclasses of PreconfiguredSAAction are used to create SAs "
329 "using preconfigured, hard-wired algorithms and keys. No "
330 "negotiation is necessary. Note that this class is defined as "
331 "concrete, since its superclass is also concrete. However, it "
332 "should not be directly instantiated, but one of its subclasses "
333 "used instead. \n"
334 "\n"
335 "Also note that: \n"
336 "- The SPI for a preconfigured SA action is contained in the "
337 tony 1.1 "association, TransformOfPreconfiguredAction. \n"
338 "- The session key (if applicable) is contained in an instance "
339 "of SharedSecret. For an instance of the SharedSecret class: "
340 "The session key is stored in the Secret property; the property "
341 "protocol contains one of the values, \"ESP-encrypt\", "
342 "\"ESP-auth\" or \"AH\"; and, the class' property algorithm "
343 "contains the algorithm used to protect the secret. (The latter "
344 "can be \"PLAINTEXT\" if the IPsec entity has no secret "
345 "storage.) The value of the class' RemoteID property is the "
346 "concatenation of the remote IPsec peer IP address in dotted "
347 "decimal, of the character \"/\", of \"IN\" (or respectively "
348 "\"OUT\") for inbound/outbound SAs, of the character \"/\" and "
349 "of the hexadecimal representation of the SPI."),
350 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction" }]
351 class CIM_PreconfiguredSAAction : CIM_SAStaticAction {
352
353 [Description (
354 "LifetimeKilobytes defines a traffic limit in kilobytes that "
355 "can be consumed before the SA is deleted. A value of zero "
356 "(the default) indicates that there is no lifetime "
357 "associated with this action (i.e., infinite lifetime). A "
358 tony 1.1 "non-zero value is used to indicate that after this number "
359 "of kilobytes has been consumed the SA must be deleted. \n"
360 "\n"
361 "Note that the actual lifetime of the preconfigured SA will "
362 "be the lesser of the value of this LifetimeKilobytes "
363 "property and the value of the MaxLifetimeKilobytes property "
364 "of the associated SATransform. Also note that some SA "
365 "negotiation protocols (such as IKE) can negotiate the "
366 "lifetime as an arbitrary length field, it is assumed that a "
367 "64-bit integer will be sufficient."),
368 Units ( "KiloBytes" ),
369 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction."
370 "LifetimeKilobytes" },
371 ModelCorrespondence {
372 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
373 uint64 LifetimeKilobytes;
374 };
375
376
377 // ==================================================================
378 // TransformOfPreconfiguredAction
379 tony 1.1 // ==================================================================
380 [Association, Version ( "2.8.0" ), Description (
381 "TransformOfPreconfiguredAction defines the transforms used by "
382 "a preconfigured IPsec action. Two, four or six SATransforms "
383 "can be associated to a PreconfiguredSAAction (applied to the "
384 "inbound and outbound traffic, as indicated by the Direction "
385 "property of this association). The order of application of the "
386 "SATransforms is implicitly defined in RFC2401."),
387 MappingStrings { "IPSP Policy "
388 "Model.IETF|TransformOfPreconfiguredAction" }]
389 class CIM_TransformOfPreconfiguredAction : CIM_Dependency {
390
391 [Override ( "Antecedent" ), Min ( 2 ), Max ( 6 ), Description (
392 "This defines the type of transform used by the referenced "
393 "PreconfiguredSAAction. A minimum of 2 and maximum of 6 "
394 "transforms can be defined, for the inbound/outbound "
395 "directions, representing AH, ESP, and/or an IPCOMP "
396 "transforms."),
397 MappingStrings { "IPSP Policy Model.IETF|"
398 "TransformOfPreconfiguredAction.Antecedent" }]
399 CIM_SATransform REF Antecedent;
400 tony 1.1
401 [Override ( "Dependent" ), Description (
402 "This defines the PreconfiguredSAAction which uses the AH, "
403 "ESP, and/or IPCOMP transforms."),
404 MappingStrings { "IPSP Policy Model.IETF|"
405 "TransformOfPreconfiguredAction.Dependent" }]
406 CIM_PreconfiguredSAAction REF Dependent;
407
408 [Description (
409 "The SPI property specifies the security parameter index to "
410 "be used by the pre-configured action for the associated "
411 "transform."),
412 MappingStrings { "IPSP Policy Model.IETF|"
413 "TransformOfPreconfiguredAction.SPI" },
414 ModelCorrespondence { "CIM_IPsecSAEndpoint.SPI" }]
415 uint32 SPI;
416
417 [Description (
418 "InboundDirection specifies whether the SA applies to "
419 "inbound (TRUE) or outbound (FALSE) traffic."),
420 MappingStrings { "IPSP Policy Model.IETF|"
421 tony 1.1 "TransformOfPreconfiguredAction.Direction" },
422 ModelCorrespondence { "CIM_IPsecSAEndpoint.InboundDirection" }]
423 boolean InboundDirection;
424 };
425
426
427 // ==================================================================
428 // PreconfiguredTransportAction
429 // ==================================================================
430 [Version ( "2.8.0" ), Description (
431 "PreconfiguredTransportAction is used to create transport-mode "
432 "SAs using preconfigured, hard-wired algorithms and keys. Note "
433 "that the SPI for a preconfigured SA action is contained in the "
434 "association, TransformOfPreconfiguredAction."),
435 MappingStrings { "IPSP Policy "
436 "Model.IETF|PreconfiguredTransportAction" }]
437 class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction {
438 };
439
440
441 // ==================================================================
442 tony 1.1 // PreconfiguredTunnelAction
443 // ==================================================================
444 [Version ( "2.8.0" ), Description (
445 "PreconfiguredTunnelAction is used to create tunnel-mode SAs "
446 "using preconfigured, hard-wired algorithms and keys. Note that "
447 "the SPI for a preconfigured SA action is contained in the "
448 "association, TransformOfPreconfiguredAction."),
449 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredTunnelAction"
450 }]
451 class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction {
452
453 [Description (
454 "DFHandling controls how the Don't Fragment bit is managed "
455 "by the tunnel."),
456 ValueMap { "2", "3", "4" },
457 Values { "Copy from Internal to External IP Header",
458 "Set DF Bit in External Header to 1",
459 "Set DF Bit in External Header to 0" },
460 MappingStrings { "IPSP Policy Model.IETF|"
461 "PreconfiguredTunnelAction.DFHandling" },
462 ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }]
463 tony 1.1 uint16 DFHandling;
464 };
465
466
467 // ==================================================================
468 // PeerGatewayForPreconfiguredTunnel
469 // ==================================================================
470 [Association, Version ( "2.8.0" ), Description (
471 "PeerGatewayForPreconfiguredTunnel identifies at most one "
472 "security gateway be used in constructing a preconfigured "
473 "tunnel. A security gateway is simply a particular instance of "
474 "RemoteServiceAccessPoint."),
475 MappingStrings { "IPSP Policy "
476 "Model.IETF|PeerGatewayForPreconfiguredTunnel" }]
477 class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency {
478
479 [Override ( "Antecedent" ), Max ( 1 ), Description (
480 "Security gateway for the preconfigured SA."),
481 MappingStrings { "IPSP Policy Model.IETF|"
482 "PeerGatewayForPreconfiguredTunnel.Antecedent" }]
483 CIM_RemoteServiceAccessPoint REF Antecedent;
484 tony 1.1
485 [Override ( "Dependent" ), Description (
486 "The PreconfiguredTunnelAction that requires a security "
487 "gateway."),
488 MappingStrings { "IPSP Policy Model.IETF|"
489 "PeerGatewayForPreconfiguredTunnel.Dependent" }]
490 CIM_PreconfiguredTunnelAction REF Dependent;
491 };
492
493
494 // ==================================================================
495 // SANegotiationAction
496 // ==================================================================
497 [Abstract, Version ( "2.8.0" ), Description (
498 "SANegotiationAction is the base class for negotiated SAs. It "
499 "is abstract, specifying the common parameters that control the "
500 "IPsec phase 1 and phase 2 negotiations."),
501 MappingStrings { "IPSP Policy Model.IETF|SANegotiationAction",
502 "IPSP Policy Model.IETF|IKENegotiationAction" }]
503 class CIM_SANegotiationAction : CIM_SAAction {
504
505 tony 1.1 [Description (
506 "MinLifetimeSeconds prevents certain denial of service "
507 "attacks where the peer requests an arbitrarily low lifetime "
508 "value, causing renegotiations with expensive Diffie-Hellman "
509 "operations. The property specifies the minimum lifetime, in "
510 "seconds, that will be accepted from the peer. A value of "
511 "zero (the default) indicates that there is no minimum "
512 "value. A non-zero value specifies the minimum seconds "
513 "lifetime."),
514 Units ( "Seconds" ),
515 MappingStrings { "IPSP Policy Model.IETF|"
516 "IKENegotiationAction.MinLifetimeSeconds" },
517 ModelCorrespondence {
518 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
519 uint64 MinLifetimeSeconds = 0;
520
521 [Description (
522 "IdleDurationSeconds is the time an SA can remain idle "
523 "(i.e., no traffic protected using the security association) "
524 "before it is automatically deleted. The default (zero) "
525 "value indicates that there is no idle duration timer and "
526 tony 1.1 "that the SA is deleted based upon the SA seconds and "
527 "kilobyte lifetimes. Any non-zero value indicates the number "
528 "of seconds that the SA may remain unused."),
529 Units ( "Seconds" ),
530 MappingStrings { "IPSP Policy Model.IETF|"
531 "IKENegotiationAction.IdleDurationSeconds" },
532 ModelCorrespondence {
533 "CIM_SecurityAssociationEndpoint.IdleDurationSeconds" }]
534 uint64 IdleDurationSeconds = 0;
535
536 [Description (
537 "MinLifetimeKilobytes prevents certain denial of service "
538 "attacks where the peer requests an arbitrarily low lifetime "
539 "value, causing renegotiations with expensive Diffie-Hellman "
540 "operations. The property specifies the minimum lifetime, in "
541 "kilobytes, that will be accepted from the peer. A value of "
542 "zero (the default) indicates that there is no minimum "
543 "value. A non-zero value specifies the minimum kilobytes "
544 "lifetime. Note that there has been considerable debate "
545 "regarding the usefulness of applying kilobyte lifetimes to "
546 "phase 1 security associations, so it is likely that this "
547 tony 1.1 "property will only apply to the subclass, IPsecAction."),
548 Units ( "KiloBytes" ),
549 MappingStrings { "IPSP Policy Model.IETF|"
550 "IKENegotiationAction.MinLifetimeKilobytes" },
551 ModelCorrespondence {
552 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
553 uint64 MinLifetimeKilobytes = 0;
554 };
555
556
557 // ==================================================================
558 // IKEAction
559 // ==================================================================
560 [Version ( "2.8.0" ), Description (
561 "IKEAction specifies the parameters to use for an IPsec IKE "
562 "phase 1 negotiation."),
563 MappingStrings { "IPSP Policy Model.IETF|IKEAction" }]
564 class CIM_IKEAction : CIM_SANegotiationAction {
565
566 [Description (
567 "The ExchangeMode designates the mode IKE should use for its "
568 tony 1.1 "key negotiations."),
569 ValueMap { "2", "3", "4" },
570 Values { "Base", "Main", "Aggressive" },
571 MappingStrings { "IPSP Policy "
572 "Model.IETF|IKEAction.ExchangeMode" }]
573 uint16 ExchangeMode;
574
575 [Description (
576 "UseIKEIdentityType specifies what network identity type "
577 "should be used when negotiating with the peer. It is used "
578 "in conjunction with the available IPNetworkIdentity "
579 "instances, that are associated with an IPProtocolEndpoint."),
580 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
581 "11", "12", "..", "0x8000.." },
582 Values { "Other", "IPV4 Address", "FQDN", "User FQDN",
583 "IPV4 Subnet Address", "IPV6 Address", "IPV6 Subnet Address",
584 "IPV4 Address Range", "IPV6 Address Range", "DER ASN1 DN",
585 "DER ASN1 GN", "KEY ID", "DMTF Reserved", "Vendor Reserved" },
586 MappingStrings { "IPSP Policy "
587 "Model.IETF|IKEAction.UseIKEIdentityType",
588 "RFC2407.IETF|Section 4.6.2.1" },
589 tony 1.1 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityType" }]
590 uint16 UseIKEIdentityType;
591
592 [Description (
593 "VendorID specifies the value to be used in the Vendor ID "
594 "payload. An empty string (the default) means that the "
595 "Vendor ID payload will not be generated or accepted. A "
596 "non-NULL value means that a Vendor ID payload will be "
597 "generated (when acting as an initiator) or is expected "
598 "(when acting as a responder)."),
599 MappingStrings { "IPSP Policy Model.IETF|IKEAction.VendorID" }]
600 string VendorID = "";
601
602 [Description (
603 "When IKEAction.ExchangeMode is set to \"Aggressive\" (4), "
604 "this property specifies the key exchange groupID to use in "
605 "the first packets of the phase 1 negotiation. This property "
606 "is ignored unless the ExchangeMode is 'aggressive'. If the "
607 "GroupID number is from the vendor- specific range "
608 "(32768-65535), the VendorID qualifies the group number. "
609 "Well-known group identifiers from RFC2412, Appendix E, are: "
610 tony 1.1 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
611 "3='Elliptic Curve Group with 155 bit field element', Group "
612 "4='Large Elliptic Curve Group with 185 bit field element', "
613 "and Group 5='1536 bit prime'."),
614 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
615 Values { "No Group/Non-Diffie-Hellman Exchange",
616 "DH-768 bit prime", "DH-1024 bit prime",
617 "EC2N-155 bit field element", "EC2N-185 bit field element",
618 "DH-1536 bit prime", "Standard Group - Reserved",
619 "Vendor Reserved" },
620 MappingStrings { "IPSP Policy "
621 "Model.IETF|IKEAction.AggressiveModeGroupID",
622 "RFC2412.IETF|Appendix E" },
623 ModelCorrespondence { "CIM_IKEAction.VendorID" }]
624 uint16 AggressiveModeGroupID;
625 };
626
627
628 // ==================================================================
629 // IPsecAction
630 // ==================================================================
631 tony 1.1 [Version ( "2.8.0" ), Description (
632 "IPsecAction specifies the parameters to use for an IPsec phase "
633 "2 negotiation."),
634 MappingStrings { "IPSP Policy Model.IETF|IPsecAction" }]
635 class CIM_IPsecAction : CIM_SANegotiationAction {
636
637 [Description (
638 "UsePFS indicates whether perfect forward secrecy is "
639 "required when refreshing keys."),
640 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.UsePFS" },
641 ModelCorrespondence { "CIM_IPsecSAEndpoint.PFSInUse" }]
642 boolean UsePFS;
643
644 [Description (
645 "UsePhase1Group indicates that the phase 2 GroupId should be "
646 "the same as that used in the phase 1 key exchange. If "
647 "UsePFS is False, then this property is ignored. Note that a "
648 "value of False indicates that the property GroupId will "
649 "contain the key exchange group to use for phase 2."),
650 MappingStrings { "IPSP Policy "
651 "Model.IETF|IPsecAction.UseIKEGroup" }]
652 tony 1.1 boolean UsePhase1Group;
653
654 [Description (
655 "GroupId specifies the PFS group ID to use. This value is "
656 "only used if PFS is True and UsePhase1Group is False. If "
657 "the GroupID number is from the vendor-specific range "
658 "(32768-65535), the VendorID qualifies the group number. "
659 "Well-known group identifiers from RFC2412, Appendix E, are: "
660 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
661 "3='Elliptic Curve Group with 155 bit field element', Group "
662 "4='Large Elliptic Curve Group with 185 bit field element', "
663 "and Group 5='1536 bit prime'."),
664 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
665 Values { "No Group/Non-Diffie-Hellman Exchange",
666 "DH-768 bit prime", "DH-1024 bit prime",
667 "EC2N-155 bit field element", "EC2N-185 bit field element",
668 "DH-1536 bit prime", "Standard Group - Reserved",
669 "Vendor Reserved" },
670 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.GroupID",
671 "RFC2412.IETF|Appendix E" },
672 ModelCorrespondence { "CIM_IPsecAction.VendorID",
673 tony 1.1 "CIM_IKESAEndpoint.GroupID" }]
674 uint16 GroupId;
675
676 [Description (
677 "The property VendorID is used together with the property "
678 "GroupID (when it is in the vendor-specific range) to "
679 "identify the key exchange group. VendorID is ignored unless "
680 "UsePFS is true, AND UsePhase1Group is False, AND GroupID is "
681 "in the vendor-specific range (32768-65535)."),
682 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.VendorID" },
683 ModelCorrespondence { "CIM_IPsecAction.GroupId",
684 "CIM_IKESAEndpoint.VendorID" }]
685 string VendorID;
686
687 [Description (
688 "The property Granularity is an enumeration that specifies "
689 "how the selector for the SA should be derived from the "
690 "traffic that triggered the negotiation. Its values are: \n"
691 "1=Other; See the OtherGranularity property for more "
692 "information \n"
693 "2=Subnet; The source and destination subnet masks are used "
694 tony 1.1 "\n3=Address; The source and destination IP addresses of the "
695 "triggering packet are used \n"
696 "4=Protocol; The source and destination IP addresses and the "
697 "IP protocol of the triggering packet are used \n"
698 "5=Port; The source and destination IP addresses, IP "
699 "protocol and the source and destination layer 4 ports of "
700 "the triggering packet are used."),
701 ValueMap { "1", "2", "3", "4", "5" },
702 Values { "Other", "Subnet", "Address", "Protocol", "Port" },
703 MappingStrings { "IPSP Policy "
704 "Model.IETF|IPsecAction.Granularity" },
705 ModelCorrespondence { "CIM_IPsecAction.OtherGranularity" }]
706 uint16 Granularity;
707
708 [Description (
709 "Description of the granularity when the value 1 (\"Other\") "
710 "is specified for the property, Granularity."),
711 ModelCorrespondence { "CIM_IPsecAction.Granularity" }]
712 string OtherGranularity;
713 };
714
715 tony 1.1
716 // ==================================================================
717 // IPsecTransportAction
718 // ==================================================================
719 [Version ( "2.8.0" ), Description (
720 "IPsecTransportAction is used to specify that a transport-mode "
721 "SA should be negotiated."),
722 MappingStrings { "IPSP Policy Model.IETF|IPsecTransportAction" }]
723 class CIM_IPsecTransportAction : CIM_IPsecAction {
724 };
725
726
727 // ==================================================================
728 // IPsecTunnelAction
729 // ==================================================================
730 [Version ( "2.8.0" ), Description (
731 "IPsecTunnelAction is used to specify that a tunnel-mode SA "
732 "should be negotiated."),
733 MappingStrings { "IPSP Policy Model.IETF|IPsecTunnelAction" }]
734 class CIM_IPsecTunnelAction : CIM_IPsecAction {
735
736 tony 1.1 [Description (
737 "DFHandling controls how the Don't Fragment bit is managed "
738 "by the tunnel."),
739 ValueMap { "2", "3", "4" },
740 Values { "Copy from Internal to External IP Header",
741 "Set DF Bit in External Header to 1",
742 "Set DF Bit in External Header to 0" },
743 MappingStrings { "IPSP Policy Model.IETF|"
744 "PreconfiguredTunnelAction.DFHandling" },
745 ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }]
746 uint16 DFHandling;
747 };
748
749
750 // ==================================================================
751 // PeerGatewayForTunnel
752 // ==================================================================
753 [Association, Version ( "2.8.0" ), Description (
754 "PeerGatewayForTunnel identifies an ordered list of security "
755 "gateways to be used in negotiating and constructing a tunnel. "
756 "A security gateway is simply a particular instance of "
757 tony 1.1 "RemoteServiceAccessPoint."),
758 MappingStrings { "IPSP Policy Model.IETF|PeerGatewayForTunnel" }]
759 class CIM_PeerGatewayForTunnel : CIM_Dependency {
760
761 [Override ( "Antecedent" ), Description (
762 "The security gateway for the SA. Note that the absense of "
763 "this association indicates that: \n"
764 "- When acting as a responder, IKE will accept phase 1 "
765 "negotiations with any other security gateway \n"
766 "- When acting as an initiator, IKE will use the destination "
767 "IP address (of the IP packets which triggered the SARule) "
768 "as the IP address of the peer IKE entity."),
769 MappingStrings { "IPSP Policy "
770 "Model.IETF|PeerGatewayForTunnel.Antecedent" }]
771 CIM_RemoteServiceAccessPoint REF Antecedent;
772
773 [Override ( "Dependent" ), Description (
774 "The IPsecTunnelAction that requires a security gateway."),
775 MappingStrings { "IPSP Policy "
776 "Model.IETF|PeerGatewayForTunnel.Dependent" }]
777 CIM_IPsecTunnelAction REF Dependent;
778 tony 1.1
779 [Description (
780 "SequenceNumber indicates the ordering to be used when "
781 "selecting a PeerGateway instance for an IPsecTunnelAction. "
782 "Lower values are evaluated first."),
783 MappingStrings { "IPSP Policy Model.IETF|"
784 "PeerGatewayForTunnel.SequenceNumber" }]
785 uint16 SequenceNumber;
786 };
787
788
789 // ==================================================================
790 // IPsec phase 1 and 2 Proposals to be negotiated
791 // ==================================================================
792
793 // ==================================================================
794 // SAProposal
795 // ==================================================================
796 [Abstract, Version ( "2.8.0" ), Description (
797 "SAProposal is a base class defining the common properties of, "
798 "and anchoring common associations for, IPsec phase 1 and phase "
799 tony 1.1 "2 proposals. It is defined as a kind of ScopedSettingData "
800 "(scoped by a ComputerSystem or AdminDomain), since its "
801 "subclasses define sets of IPsec properties that MUST be "
802 "applied together, if negotiated. This subclassing is different "
803 "than that defined in IETF's IPSP Policy draft - where it is "
804 "subclassed from Policy. The definition as SettingData is more "
805 "consistent with the application of the properties as a set, to "
806 "the negotiated Security Association. To indicate that 'this' "
807 "proposaltransform is negotiated for a Security Association, "
808 "use the ElementSettingData to associate the proposal and the "
809 "SA."),
810 MappingStrings { "IPSP Policy Model.IETF|SAProposal" }]
811 class CIM_SAProposal : CIM_ScopedSettingData {
812 };
813
814
815 // ==================================================================
816 // ContainedProposal
817 // ==================================================================
818 [Association, Aggregation, Version ( "2.8.0" ), Description (
819 "ContainedProposal holds an ordered list of SAProposals that "
820 tony 1.1 "make up an SANegotiationAction. If the referenced "
821 "NegotiationAction is an IKEAction, then the SAProposal objects "
822 "MUST be IKEProposals. If the referenced NegotiationAction "
823 "object is an IPsecTransport/TunnelAction, then the referenced "
824 "SAProposal objects MUST be IPsecProposals."),
825 MappingStrings { "IPSP Policy Model.IETF|ContainedProposal" }]
826 class CIM_ContainedProposal : CIM_Component {
827
828 [Aggregate, Override ( "GroupComponent" ), Description (
829 "The SANegotiationAction containing a list of SAProposals."),
830 MappingStrings { "IPSP Policy "
831 "Model.IETF|ContainedProposal.GroupComponent" }]
832 CIM_SANegotiationAction REF GroupComponent;
833
834 [Override ( "PartComponent" ), Description (
835 "The SAProposal in this negotiation action."),
836 MappingStrings { "IPSP Policy "
837 "Model.IETF|ContainedProposal.PartComponent" }]
838 CIM_SAProposal REF PartComponent;
839
840 [Description (
841 tony 1.1 "SequenceNumber indicates the ordering to be used when "
842 "chosing from among the proposals. Lower-valued proposals "
843 "are preferred over proposals with higher values. For "
844 "ContainedProposals that reference the same "
845 "SANegotiationAction, SequenceNumber values MUST be unique."),
846 MappingStrings { "IPSP Policy "
847 "Model.IETF|ContainedProposal.SequenceNumber" }]
848 uint16 SequenceNumber;
849 };
850
851
852 // ==================================================================
853 // IKEProposal
854 // ==================================================================
855 [Version ( "2.8.0" ), Description (
856 "IKEProposal contains the parameters necessary to drive the "
857 "phase 1 IKE negotiation."),
858 MappingStrings { "IPSP Policy Model.IETF|IKEProposal" }]
859 class CIM_IKEProposal : CIM_SAProposal {
860
861 [Description (
862 tony 1.1 "MaxLifetimeSeconds specifies the maximum time the IKE "
863 "message sender proposes for an SA to be considered valid "
864 "after it has been created. A value of zero indicates that "
865 "the default of 8 hours be used. A non-zero value indicates "
866 "the maximum seconds lifetime."),
867 Units ( "Seconds" ),
868 MappingStrings { "IPSP Policy "
869 "Model.IETF|IKEProposal.MaxLifetimeSeconds" },
870 ModelCorrespondence {
871 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
872 uint64 MaxLifetimeSeconds;
873
874 [Description (
875 "MaxLifetimeKilobytes specifies the maximum kilobyte "
876 "lifetime the IKE message sender proposes for an SA to be "
877 "considered valid after it has been created. A value of zero "
878 "(the default) indicates that there should be no maximum "
879 "kilobyte lifetime. A non-zero value specifies the desired "
880 "kilobyte lifetime."),
881 Units ( "KiloBytes" ),
882 MappingStrings { "IPSP Policy "
883 tony 1.1 "Model.IETF|IKEProposal.MaxLifetimeKilobytes" },
884 ModelCorrespondence {
885 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
886 uint64 MaxLifetimeKilobytes;
887
888 [Description (
889 "CipherAlgorithm is an enumeration that specifies the "
890 "proposed encryption algorithm. The list of algorithms was "
891 "generated from Appendix A of RFC2409. Note that the "
892 "enumeration is different than the RFC list and aligns with "
893 "the values in IKESAEndpoint.CipherAlgorithm."),
894 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8..65000",
895 "65001..65535" },
896 Values { "Other", "DES", "IDEA", "Blowfish", "RC5", "3DES",
897 "CAST", "DMTF/IANA Reserved", "Vendor Reserved" },
898 MappingStrings { "IPSP Policy "
899 "Model.IETF|IKEProposal.CipherAlgorithm",
900 "RFC2409.IETF|Appendix A" },
901 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm",
902 "CIM_IKEProposal.OtherCipherAlgorithm" }]
903 uint16 CipherAlgorithm;
904 tony 1.1
905 [Description (
906 "Description of the encryption algorithm when the value 1 "
907 "(\"Other\") is specified for the property, CipherAlgorithm."),
908 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm",
909 "CIM_IKEProposal.CipherAlgorithm" }]
910 string OtherCipherAlgorithm;
911
912 [Description (
913 "HashAlgorithm is an enumeration that specifies the proposed "
914 "hash function. The list of algorithms was generated from "
915 "Appendix A of RFC2409. Note that the enumeration is "
916 "different than the RFC list and aligns with the values in "
917 "IKESAEndpoint.HashAlgorithm."),
918 ValueMap { "1", "2", "3", "4", "5..65000", "65001..65535" },
919 Values { "Other", "MD5", "SHA-1", "Tiger", "DMTF/IANA Reserved",
920 "Vendor Reserved" },
921 MappingStrings { "IPSP Policy "
922 "Model.IETF|IKEProposal.HashAlgorithm",
923 "RFC2409.IETF|Appendix A" },
924 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm",
925 tony 1.1 "CIM_IKEProposal.OtherHashAlgorithm" }]
926 uint16 HashAlgorithm;
927
928 [Description (
929 "Description of the hash function when the value 1 "
930 "(\"Other\") is specified for the property, HashAlgorithm."),
931 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm",
932 "CIM_IKEProposal.HashAlgorithm" }]
933 string OtherHashAlgorithm;
934
935 [Description (
936 "AuthenticationMethod is an enumeration that specifies the "
937 "proposed authentication. The list of methods was generated "
938 "from Appendix A of RFC2409. Note that the enumeration is "
939 "different than the RFC list and aligns with the values in "
940 "IKESAEndpoint.AuthenticationMethod. There is one change to "
941 "the list - the value 65000 has special meaning. It is a "
942 "special value that indicates that this particular proposal "
943 "should be repeated once for each authentication method "
944 "corresponding to credentials installed on the machine. For "
945 "example, if the system has a pre-shared key and an "
946 tony 1.1 "public-key certificate, a proposal list would be "
947 "constructed which includes a proposal that specifies a "
948 "pre-shared key and a proposal for any of the public-key "
949 "certificates."),
950 ValueMap { "1", "2", "3", "4", "5", "6", "7..64999", "65000",
951 "65001..65535" },
952 Values { "Other", "Pre-shared Key", "DSS Signatures",
953 "RSA Signatures", "Encryption with RSA",
954 "Revised Encryption with RSA", "DMTF/IANA Reserved", "Any",
955 "Vendor Reserved" },
956 MappingStrings { "IPSP Policy "
957 "Model.IETF|IKEProposal.AuthenticationMethod",
958 "RFC2409.IETF|Appendix A" },
959 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod",
960 "CIM_IKEProposal.OtherAuthenticationMethod" }]
961 uint16 AuthenticationMethod;
962
963 [Description (
964 "Description of the method when the value 1 (\"Other\") is "
965 "specified for the property, AuthenticationMethod."),
966 ModelCorrespondence {
967 tony 1.1 "CIM_IKESAEndpoint.OtherAuthenticationMethod",
968 "CIM_IKEProposal.AuthenticationMethod" }]
969 string OtherAuthenticationMethod;
970
971 [Description (
972 "The property GroupId specifies the proposed phase 1 "
973 "security association key exchange group. This property is "
974 "ignored for all aggressive mode exchanges "
975 "(IKEAction.ExchangeMode = 4). If the GroupID number is from "
976 "the vendor-specific range (32768-65535), the property "
977 "VendorID qualifies the group number. Well-known group "
978 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
979 "prime', Group 2='1024 bit prime', Group 3 ='Elliptic Curve "
980 "Group with 155 bit field element', Group 4= 'Large Elliptic "
981 "Curve Group with 185 bit field element', and Group 5='1536 "
982 "bit prime'."),
983 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
984 Values { "No Group/Non-Diffie-Hellman Exchange",
985 "DH-768 bit prime", "DH-1024 bit prime",
986 "EC2N-155 bit field element", "EC2N-185 bit field element",
987 "DH-1536 bit prime", "Standard Group - Reserved",
988 tony 1.1 "Vendor Reserved" },
989 MappingStrings { "IPSP Policy Model.IETF|IKEProposal.GroupID",
990 "RFC2412.IETF|Appendix E" },
991 ModelCorrespondence { "CIM_IKESAEndpoint.GroupID",
992 "CIM_IKEProposal.VendorID" }]
993 uint16 GroupId;
994
995 [Description (
996 "VendorID identifies the vendor when the value of GroupID is "
997 "in the vendor-specific range, 32768 to 65535."),
998 ModelCorrespondence { "CIM_IKESAEndpoint.VendorID",
999 "CIM_IKEProposal.GroupId" }]
1000 string VendorID;
1001 };
1002
1003
1004 // ==================================================================
1005 // IPsecProposal
1006 // ==================================================================
1007 [Version ( "2.8.0" ), Description (
1008 "The class IPsecProposal adds no new properties, but inherits "
1009 tony 1.1 "proposal properties from SAProposal as well as associating the "
1010 "security association transforms necessary for building an "
1011 "IPsec proposal (see the class ContainedTransform)."),
1012 MappingStrings { "IPSP Policy Model.IETF|IPsecProposal" }]
1013 class CIM_IPsecProposal : CIM_SAProposal {
1014 };
1015
1016
1017 // ==================================================================
1018 // ContainedTransform
1019 // ==================================================================
1020 [Association, Aggregation, Version ( "2.8.0" ), Description (
1021 "ContainedTransform associates a proposal with a list of "
1022 "transforms. If multiple transforms of a given type are "
1023 "included in a proposal, these transforms are interpreted as "
1024 "alternatives -- i.e., logically ORed with each other. The "
1025 "order of preference is dictated by the SequenceNumber "
1026 "property. Sets of transforms of different types are logically "
1027 "ANDed. For example, a proposal based on two AH transforms and "
1028 "three ESP transforms means one of the AH AND one of the ESP "
1029 "transforms MUST be chosen. Note that at least 1 transform MUST "
1030 tony 1.1 "be aggregated into the proposal."),
1031 MappingStrings { "IPSP Policy Model.IETF|ContainedTransform" }]
1032 class CIM_ContainedTransform : CIM_Component {
1033
1034 [Aggregate, Override ( "GroupComponent" ), Description (
1035 "The Proposal containing the transforms."),
1036 MappingStrings { "IPSP Policy Model.IETF|"
1037 "ContainedTransform.GroupComponent" }]
1038 CIM_IPsecProposal REF GroupComponent;
1039
1040 [Override ( "PartComponent" ), Min ( 1 ), Description (
1041 "Transforms in the proposal."),
1042 MappingStrings { "IPSP Policy Model.IETF|"
1043 "ContainedTransform.PartComponent" }]
1044 CIM_SATransform REF PartComponent;
1045
1046 [Description (
1047 "SequenceNumber indicates the order of preference for "
1048 "SATransforms of the same type. Lower-valued transforms are "
1049 "preferred over transforms of the same type with higher "
1050 "values. For ContainedTransforms (of the same type) that "
1051 tony 1.1 "reference the same IPsecProposal, SequenceNumber values "
1052 "MUST be unique."),
1053 MappingStrings { "IPSP Policy Model.IETF|"
1054 "ContainedTransform.SequenceNumber" }]
1055 uint16 SequenceNumber;
1056 };
1057
1058
1059 // ===================================================================
1060 // end of file
1061 // ===================================================================
|