1 tony 1.1 // ===================================================================
2 // Title: Network IPsec 2.8 Preliminary
3 // Filename: Network28_IPsec.mof
4 // Version: 2.8.0
5 // Status: Final
6 // Date: Jan 26, 2004
7 // ===================================================================
8 // Copyright 1998-2003 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: The Network Model extends the management concepts to
45 // represent protocol interfaces and network/protocol
46 // services. This file defines the classes to manage
47 // an IPsec security association.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ==================================================================
53 // This model was originally introduced in CIM V2.6 Preliminary and
54 // was not promoted to Final status. The following CR updates the
55 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
56 // Working Group.
57 // CR1026 - Modifications to the V2.6 MOF for IPsec management
58 // Change Log CIM V2.8
59 // CR1194 - Promote all classes to final
60 // CR1238 - Fix model correspondece reference problems in final version
61 //
62 // ===================================================================
63
64 tony 1.1 #pragma Locale ("en_US")
65
66
67 // ==================================================================
68 // Security Association Endpoints
69 // ==================================================================
70
71 // ==================================================================
72 // SecurityAssociationEndpoint
73 // ==================================================================
74 [Version ( "2.8.0" ), Description (
75 "SecurityAssociationEndpoint (SAEndpoint) represents the "
76 "endpoint of a secure connection. This is typically an IP "
77 "connection, although the model allows more flexibility than "
78 "just IP. The SecurityAssociationEndpoint is tied to an "
79 "IPProtocolEndpoint (or possibly other endpoint) using the "
80 "LogicalIdentity association. Note that an endpoint is defined "
81 "at both ends of the connection.")]
82 class CIM_SecurityAssociationEndpoint : CIM_ProtocolEndpoint {
83
84 [Override ( "InstallDate" ), Description (
85 tony 1.1 "InstallDate records when the SA (and its endpoint) was "
86 "created.")]
87 datetime InstallDate;
88
89 [Description (
90 "LifetimeSeconds specifies the maximum time that the SA will "
91 "be considered valid after it has been created. A value of "
92 "zero indicates that the default of 8 hours be used. A "
93 "non-zero value indicates the seconds lifetime."),
94 Units ( "Seconds" )]
95 uint64 LifetimeSeconds = 0;
96
97 [Write, Description (
98 "RefreshThresholdSecondsPercentage is the lifetime "
99 "percentage after which a new SA should be acquired, before "
100 "the existing SA expires. A random period may be added to a "
101 "calculated threshold to reduce network thrashing."),
102 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 )]
103 uint8 RefreshThresholdSecondsPercentage;
104
105 [Description (
106 tony 1.1 "IdleDurationSeconds specifies how long the SA can be idle "
107 "before it is deleted. The default value, 0, indicates that "
108 "there is no idle timeout period."),
109 Units ( "Seconds" )]
110 uint64 IdleDurationSeconds = 0;
111
112 [Description (
113 "LifetimeKilobytes specifies the maximum number of kilobytes "
114 "of data traffic to be protected by the SA. A value of zero "
115 "(the default) indicates that there should be no maximum "
116 "kilobyte lifetime. A non-zero value specifies the desired "
117 "kilobyte lifetime. The SA is deleted when the "
118 "LifetimeKilobyte value is exceeded."),
119 Units ( "KiloBytes" )]
120 uint64 LifetimeKilobytes = 0;
121
122 [Write, Description (
123 "RefreshThresholdKbytesPercentage is the lifetime percentage "
124 "of kilobytes processed, at which a new SA should be "
125 "acquired. A random value may be added to the calculated "
126 "threshold to reduce network thrashing."),
127 tony 1.1 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 )]
128 uint8 RefreshThresholdKbytesPercentage;
129
130 [Write, Description (
131 "PacketLoggingActive causes a log to be kept of traffic "
132 "processed by the SAEndpoint.")]
133 boolean PacketLoggingActive;
134 };
135
136
137 // ==================================================================
138 // FilterOfSecurityAssociation
139 // ==================================================================
140 [Association, Version ( "2.8.0" ), Description (
141 "FilterOfSecurityAssociation associates a network traffic "
142 "specification (i.e., a FilterList) with a SecurityAssociation "
143 "Endpoint, to which the filter list applies.")]
144 class CIM_FilterOfSecurityAssociation : CIM_Dependency {
145
146 [Override ( "Antecedent" ), Max ( 1 ), Description (
147 "FilterList describing the traffic to be selected/matched.")]
148 tony 1.1 CIM_FilterList REF Antecedent;
149
150 [Override ( "Dependent" ), Description (
151 "SecurityAssociation using the FilterList as its traffic "
152 "selector.")]
153 CIM_SecurityAssociationEndpoint REF Dependent;
154 };
155
156
157 // ==================================================================
158 // SAEndpointConnectionStatistics
159 // ==================================================================
160 [Version ( "2.8.0" ), Description (
161 "This class captures statistical and time-related information "
162 "about the use of the IPsec or IKE Security Associations, "
163 "through their IPsecSAEndpoint or IKESAEndpoint. The relevant "
164 "SAEndpoint is determined by traversing the "
165 "ElementStatisticalData association.")]
166 class CIM_SAEndpointConnectionStatistics : CIM_StatisticalData {
167
168 [Description (
169 tony 1.1 "Number of bytes that have been protected by the associated "
170 "SAEndpoint."),
171 Units ( "Bytes" ), Counter]
172 uint64 ByteCount;
173
174 [Description (
175 "LastAccessed indicates when the SAEndpoint was last used. "
176 "This property is helpful in determining if the SA (and its "
177 "endpoint) will be deleted due to sitting idle.")]
178 datetime LastAccessed;
179 };
180
181
182 // ==================================================================
183 // SAEndpointRefreshSettings
184 // ==================================================================
185 [Version ( "2.8.0" ), Description (
186 "SAEndpointRefreshSettings hold the refresh thresholds for the "
187 "SecurityAssociationEndpoint. Since these settings may change "
188 "for an SA, the properties are defined both in this class and "
189 "in SecurityAssociationEndpoint.")]
190 tony 1.1 class CIM_SAEndpointRefreshSettings : CIM_SettingData {
191
192 [Write, Description (
193 "RefreshThresholdSecondsPercentage is the lifetime "
194 "percentage after which a new SA should be acquired, before "
195 "the existing SA expires."),
196 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 ),
197 ModelCorrespondence { "CIM_SecurityAssociationEndpoint."
198 "RefreshThresholdSecondsPercentage" }]
199 uint8 RefreshThresholdSecondsPercentage;
200
201 [Write, Description (
202 "RefreshThresholdKbytesPercentage is the lifetime percentage "
203 "of kilobytes processed, at which a new SA should be "
204 "acquired."),
205 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 ),
206 ModelCorrespondence { "CIM_SecurityAssociationEndpoint."
207 "RefreshThresholdKbytesPercentage" }]
208 uint8 RefreshThresholdKbytesPercentage;
209 };
210
211 tony 1.1
212 // ==================================================================
213 // IPsecSAEndpoint
214 // ==================================================================
215 [Version ( "2.8.0" ), Description (
216 "IPsecSAEndpoints are types of SecurityAssociationEndpoints "
217 "representing both negotiated and static SAs that correspond to "
218 "AH, ESP, or IPCOMP transforms.")]
219 class CIM_IPsecSAEndpoint : CIM_SecurityAssociationEndpoint {
220
221 [Description (
222 "SPI contains the Security Parameter Index of the SA. This "
223 "value in string form may also be used in the key field "
224 "'Name' inherited from ServiceAccessPoint.")]
225 uint32 SPI;
226
227 [Description (
228 "InboundDirection specifies whether the SA applies to "
229 "inbound (TRUE) or outbound (FALSE) traffic.")]
230 boolean InboundDirection;
231
232 tony 1.1 [Description (
233 "EncapsulationMode indicates whether the IPsecSAEndpoint "
234 "uses transport or tunnel encapsulation."),
235 ValueMap { "0", "2", "3" },
236 Values { "Unknown", "Tunnel", "Transport" }]
237 uint16 EncapsulationMode;
238
239 [Description (
240 "DFHandling controls how the 'Don't Fragment' bit is managed "
241 "by the IPsecSAEndpoint."),
242 ValueMap { "0", "2", "3", "4" },
243 Values { "Unknown", "Copy from Internal to External IP Header",
244 "Set DF Bit in External Header to 1",
245 "Set DF Bit in External Header to 0" }]
246 uint16 DFHandling;
247
248 [Description (
249 "PFSInUse indicates whether perfect forward secrecy is "
250 "required when refreshing keys.")]
251 boolean PFSInUse;
252 };
253 tony 1.1
254
255 // ==================================================================
256 // PeerOfIPsecSAEndpoint
257 // ==================================================================
258 [Association, Version ( "2.8.0" ), Description (
259 "PeerOfIPsecSAEndpoint identifies the peer of the "
260 "IPsecSAEndpoint.")]
261 class CIM_PeerOfSAEndpoint : CIM_Dependency {
262
263 [Override ( "Antecedent" ), Max ( 1 ), Description (
264 "The peer for the SAEndpoint.")]
265 CIM_RemoteServiceAccessPoint REF Antecedent;
266
267 [Override ( "Dependent" ), Description (
268 "The IPsecSAEndpoint which has a peer.")]
269 CIM_IPsecSAEndpoint REF Dependent;
270 };
271
272
273 // ==================================================================
274 tony 1.1 // IKESAEndpoint
275 // ==================================================================
276 [Version ( "2.8.0" ), Description (
277 "IKESAEndpoint is created in the first phase of SA negotiation "
278 "and protects the key negotiation traffic. This endpoint is "
279 "only created when IKE is the key exchange protocol. Other "
280 "protocols and their endpoints will be defined in a future "
281 "release.")]
282 class CIM_IKESAEndpoint : CIM_SecurityAssociationEndpoint {
283
284 [Description (
285 "Identifier of the IKE phase 1 negotiation initiator. "
286 "Combined with the ResponderCookie, this value, in string "
287 "form, may be used to construct the value of the key field "
288 "'Name', inherited from ServiceAccessPoint.")]
289 uint64 InitiatorCookie;
290
291 [Description (
292 "Identifier of the IKE phase 1 negotiation responder. "
293 "Combined with the InitiatorCookie, this value, in string "
294 "form, may be used to construct the value of the key field "
295 tony 1.1 "'Name', inherited from ServiceAccessPoint.")]
296 uint64 ResponderCookie;
297
298 [Description (
299 "CipherAlgorithm is an enumeration that specifies the "
300 "encryption algorithm used by the IKESAEndpoint. The list of "
301 "algorithms was generated from Appendix A of RFC2409. Note "
302 "that the enumeration is different than the RFC list, since "
303 "the values of Unknown and Other are taken into account."),
304 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8..65000",
305 "65001..65535" },
306 Values { "Unknown", "Other", "DES", "IDEA", "Blowfish", "RC5",
307 "3DES", "CAST", "DMTF/IANA Reserved", "Vendor Reserved" },
308 MappingStrings { "RFC2409.IETF|Appendix A" },
309 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm" }]
310 uint16 CipherAlgorithm;
311
312 [Description (
313 "Description of the encryption algorithm when the value 1 "
314 "(\"Other\") is specified for the property, CipherAlgorithm."),
315 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm" }]
316 tony 1.1 string OtherCipherAlgorithm;
317
318 [Description (
319 "HashAlgorithm is an enumeration that specifies the hash "
320 "function used by the IKESAEndpoint. The list of algorithms "
321 "was generated from Appendix A of RFC2409. Note that the "
322 "enumeration is different than the RFC list, since the "
323 "values of Unknown and Other are taken into account."),
324 ValueMap { "0", "1", "2", "3", "4", "5..65000", "65001..65535" },
325 Values { "Unknown", "Other", "MD5", "SHA-1", "Tiger",
326 "DMTF/IANA Reserved", "Vendor Reserved" },
327 MappingStrings { "RFC2409.IETF|Appendix A" },
328 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm" }]
329 uint16 HashAlgorithm;
330
331 [Description (
332 "Description of the hash function when the value 1 "
333 "(\"Other\") is specified for the property, HashAlgorithm."),
334 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm" }]
335 string OtherHashAlgorithm;
336
337 tony 1.1 [Description (
338 "AuthenticationMethod is an enumeration that specifies the "
339 "operation of the IKESAEndpoint. The list of methods was "
340 "generated from Appendix A of RFC2409. Note that the "
341 "enumeration is different than the RFC list, since the "
342 "values of Unknown and Other are taken into account."),
343 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7..65000",
344 "65001-65535" },
345 Values { "Unknown", "Other", "Pre-shared Key", "DSS Signatures",
346 "RSA Signatures", "Encryption with RSA",
347 "Revised Encryption with RSA", "DMTF/IANA Reserved",
348 "Vendor Reserved" },
349 MappingStrings { "RFC2409.IETF|Appendix A" },
350 ModelCorrespondence {
351 "CIM_IKESAEndpoint.OtherAuthenticationMethod" }]
352 uint16 AuthenticationMethod;
353
354 [Description (
355 "Description of the method when the value 1 (\"Other\") is "
356 "specified for the property, AuthenticationMethod."),
357 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod" }]
358 tony 1.1 string OtherAuthenticationMethod;
359
360 [Description (
361 "GroupId specifies the key exchange group ID. If the GroupID "
362 "number is from the vendor-specific range (32768-65535), the "
363 "VendorID qualifies the group number. Well-known group "
364 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
365 "prime', Group 2='1024 bit prime', Group 3= 'Elliptic Curve "
366 "Group with 155 bit field element', Group 4= 'Large Elliptic "
367 "Curve Group with 185 bit field element', and Group 5='1536 "
368 "bit prime'."),
369 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
370 Values { "No Group/Non-Diffie-Hellman Exchange",
371 "DH-768 bit prime", "DH-1024 bit prime",
372 "EC2N-155 bit field element", "EC2N-185 bit field element",
373 "DH-1536 bit prime", "Standard Group - Reserved",
374 "Vendor Reserved" },
375 MappingStrings { "RFC2412.IETF|Appendix E" },
376 ModelCorrespondence { "CIM_IKESAEndpoint.VendorID" }]
377 uint16 GroupId;
378
379 tony 1.1 [Description (
380 "VendorID identifies the vendor when the value of GroupID is "
381 "in the vendor-specific range, 32768 to 65535."),
382 ModelCorrespondence { "CIM_IKESAEndpoint.GroupId" }]
383 string VendorID;
384 };
385
386
387 // ==================================================================
388 // Phase1SAUsedForPhase2
389 // ==================================================================
390 [Association, Version ( "2.8.0" ), Description (
391 "Phase1SAUsedForPhase2 associates a phase 1 endpoint (such as "
392 "an IKESAEndpoint) with an IPsecSAEndpoint that was negotiated "
393 "using that phase 1 Security Association.")]
394 class CIM_Phase1SAUsedForPhase2 : CIM_Dependency {
395
396 [Override ( "Antecedent" ), Max ( 1 ), Description (
397 "Phase 1 SAEndpoint that protected the negotiation of the "
398 "phase 2 Security Association. An example of a phase 1 "
399 "endpoint is an IKESAEndpoint.")]
400 tony 1.1 CIM_SecurityAssociationEndpoint REF Antecedent;
401
402 [Override ( "Dependent" ), Description (
403 "The phase 2 SAEndpoint.")]
404 CIM_IPsecSAEndpoint REF Dependent;
405 };
406
407
408 // ==================================================================
409 // Security Association Transforms
410 // ==================================================================
411
412 // ==================================================================
413 // SATransform
414 // ==================================================================
415 [Abstract, Version ( "2.8.0" ), Description (
416 "SATransform is the base class for the various types of "
417 "transforms that are in effect for an existing IPsecSAEndpoint, "
418 "or aggregated into phase 2 proposals used during the IPsec "
419 "negotiation process. This class is defined as a kind of "
420 "ScopedSettingData, since it describes the set of transform "
421 tony 1.1 "properties that MUST be applied together, if negotiated. This "
422 "subclassing is different than that defined in IETF's IPSP "
423 "Policy draft - where it is subclassed from Policy. The "
424 "definition as SettingData is more consistent with the "
425 "application of the properties as a set, to the negotiated "
426 "Security Association. \n"
427 "\n"
428 "Note that an instance of this class is 'scoped' or contained "
429 "by a System (either a ComputerSystem or AdminDomain), rather "
430 "than by a SecurityAssociationEndpoint. This is indicated by "
431 "instantiating the ScopedSetting association, and is necessary "
432 "since the transform data is used in IPsec negotiation policies "
433 "(also scoped by Systems) before ever being associated with a "
434 "SecurityAssociationEndpoint. The latter semantics (i.e., that "
435 "'this' transform is negotiated for 'this' Security "
436 "Association) is conveyed via a subclass of ElementSettingData, "
437 "TransformOfSecurityAssociation."),
438 MappingStrings { "IPSP Model.IETF|SATransform" }]
439 class CIM_SATransform : CIM_ScopedSettingData {
440
441 [Override ( "ElementName" ),
442 tony 1.1 MappingStrings { "IPSP Model.IETF|SATransform.CommonName" }]
443 string ElementName;
444
445 [Description (
446 "MaxLifetimeSeconds specifies the maximum time that the "
447 "Security Association should be considered valid after it "
448 "has been created. A value of 0, the default, indicates that "
449 "8 hours should be used. A non-zero value indicates the "
450 "maximum lifetime in seconds."),
451 Units ( "Seconds" ),
452 MappingStrings { "IPSP "
453 "Model.IETF|SATransform.MaxLifetimeSeconds" }]
454 uint64 MaxLifetimeSeconds = 0;
455
456 [Description (
457 "MaxLifetimeKilobytes specifies the maximum kilobyte "
458 "lifetime for a Security Association. Different lifetimes "
459 "are used, depending on the strength of the encryption "
460 "algorithm. A value of 0, the default, indicates that no "
461 "maximum should be defined. A non-zero value specifies the "
462 "desired kilobyte lifetime."),
463 tony 1.1 Units ( "KiloBytes" ),
464 MappingStrings { "IPSP "
465 "Model.IETF|SATransform.MaxLifetimeKilobytes" }]
466 uint64 MaxLifetimeKilobytes = 0;
467
468 [Description (
469 "VendorID identifies vendor-defined transforms. If this "
470 "field is empty (the default), then this is a standard "
471 "transform."),
472 MappingStrings { "IPSP Model.IETF|SATransform.VendorID" }]
473 string VendorID = "";
474 };
475
476
477 // ==================================================================
478 // TransformOfSecurityAssociation
479 // ==================================================================
480 [Association, Version ( "2.8.0" ), Description (
481 "TransformOfSecurityAssociation maps a SecurityAssociation "
482 "Endpoint with the transform that it uses. For security, no "
483 "keying material of the SA is exposed.")]
484 tony 1.1 class CIM_TransformOfSecurityAssociation : CIM_ElementSettingData {
485
486 [Override ( "SettingData" ), Min ( 1 ), Max ( 1 ), Description (
487 "Transform of the IPsecSAEndpoint.")]
488 CIM_SATransform REF SettingData;
489
490 [Override ( "ManagedElement" ), Description (
491 "The IPsecSAEndpoint that uses the transform.")]
492 CIM_IPsecSAEndpoint REF ManagedElement;
493 };
494
495
496 // ==================================================================
497 // AHTransform
498 // ==================================================================
499 [Version ( "2.8.0" ), Description (
500 "AHTransform defines the parameters used for a phase 2 AH "
501 "(Authentication Header) Security Association."),
502 MappingStrings { "IPSP Model.IETF|AHTransform" }]
503 class CIM_AHTransform : CIM_SATransform {
504
505 tony 1.1 [Description (
506 "AHTransformId is an enumeration that specifies the hash "
507 "algorithm to be used. The list of values was generated from "
508 "RFC2407, Section 4.4.3."),
509 ValueMap { "1", "2", "3", "4" },
510 Values { "Other", "MD5", "SHA-1", "DES" },
511 MappingStrings { "IPSP Model.IETF|AHTransform.AHTransformID",
512 "RFC2407.IETF|Section 4.4.3" },
513 ModelCorrespondence { "CIM_AHTransform.OtherAHTransformId" }]
514 uint16 AHTransformId;
515
516 [Description (
517 "Description of the hash algorithm when the value 1 "
518 "(\"Other\") is specified for the property, AHTransformId."),
519 ModelCorrespondence { "CIM_AHTransform.AHTransformId" }]
520 string OtherAHTransformId;
521
522 [Description (
523 "UseReplayPrevention causes the local peer to enable replay "
524 "prevention detection. This can be accomplished by using a "
525 "sequence number when sending a packet or checking the "
526 tony 1.1 "sequence number upon receipt of a packet."),
527 MappingStrings { "IPSP "
528 "Model.IETF|AHTransform.UseReplayPrevention" }]
529 boolean UseReplayPrevention;
530
531 [Description (
532 "ReplayPreventionWindowsSize specifies, in bits, the length "
533 "of the sliding window used by the replay prevention "
534 "mechanism. The value of this property is meaningless if "
535 "UseReplayPrevention is false. The window size MUST be a "
536 "power of 2."),
537 Units ( "Bits" ),
538 MappingStrings { "IPSP "
539 "Model.IETF|AHTransform.ReplayPreventionWindowSize" }]
540 uint32 ReplayPreventionWindowSize;
541 };
542
543
544 // ==================================================================
545 // ESPTransform
546 // ==================================================================
547 tony 1.1 [Version ( "2.8.0" ), Description (
548 "ESPTransform defines the parameters used for a phase 2 ESP "
549 "(Encapsulating Security Protocol) Security Association."),
550 MappingStrings { "IPSP Model.IETF|ESPTransform" }]
551 class CIM_ESPTransform : CIM_SATransform {
552
553 [Description (
554 "IntegrityTransformId is an enumeration that specifies the "
555 "ESP integrity algorithm to be used. The list of values is "
556 "generated from the enumeration defined in RFC2407, Section "
557 "4.5. Note that the enumeration is different than the RFC "
558 "list, since the values of Other and None are taken into "
559 "account. Also, note that 2 (\"None\") is used when ESP is "
560 "negotiated without authentication."),
561 ValueMap { "1", "2", "3", "4", "5", "6", "7..61439",
562 "61440-65535" },
563 Values { "Other", "None", "MD5", "SHA-1", "DES", "KPDK",
564 "DMTF/IANA Reserved", "Vendor Reserved" },
565 MappingStrings { "IPSP "
566 "Model.IETF|ESPTransform.IntegrityTransformId",
567 "RFC2407.IETF|Section 4.5" },
568 tony 1.1 ModelCorrespondence {
569 "CIM_ESPTransform.OtherIntegrityTransformId" }]
570 uint16 IntegrityTransformId;
571
572 [Description (
573 "Description of the integrity algorithm when the value 1 "
574 "(\"Other\") is specified for the property, "
575 "IntegrityTransformId."),
576 ModelCorrespondence { "CIM_ESPTransform.IntegrityTransformId" }]
577 string OtherIntegrityTransformId;
578
579 [Description (
580 "CipherTransformId is an enumeration that specifies the ESP "
581 "encrypion algorithm to be used. The list of values is "
582 "defined in RFC2407, Section 4.4.4, where the RFC's NULL "
583 "value maps to 2-\"None\". Note that the enumeration is "
584 "different than the RFC list, since 'Other' is added to the "
585 "enumeration."),
586 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
587 "11", "12" },
588 Values { "Other", "None", "DES_IV64", "DES", "3DES", "RC5",
589 tony 1.1 "IDEA", "CAST", "Blowfish", "3-IDEA", "DES_IV32", "RC4" },
590 MappingStrings { "IPSP "
591 "Model.IETF|ESPTransform.CipherTransformId",
592 "RFC2407.IETF|Section 4.4.4" },
593 ModelCorrespondence { "CIM_ESPTransform.OtherCipherTransformId"
594 }]
595 uint16 CipherTransformId;
596
597 [Description (
598 "Description of the encryption algorithm when the value 1 "
599 "(\"Other\") is specified for the property, "
600 "CipherTransformId."),
601 ModelCorrespondence { "CIM_ESPTransform.CipherTransformId" }]
602 string OtherCipherTransformId;
603
604 [Description (
605 "CipherKeyLength specifies, in bits, the key length for the "
606 "encryption algorithm. For algorithms with fixed key "
607 "lengths, this value is ignored."),
608 Units ( "Bits" ),
609 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyLength"
610 tony 1.1 }]
611 uint16 CipherKeyLength;
612
613 [Description (
614 "CipherKeyRounds specifies the key rounds for the encryption "
615 "algorithm. For algorithms with a fixed number of key "
616 "rounds, this value is ignored. Currently, key rounds are "
617 "NOT defined for any ESP encryption algorithms."),
618 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyRounds"
619 }]
620 uint16 CipherKeyRounds;
621
622 [Description (
623 "UseReplayPrevention causes the local peer to enable replay "
624 "prevention detection. This can be accomplished by using a "
625 "sequence number when sending a packet or checking the "
626 "sequence number upon receipt of a packet."),
627 MappingStrings { "IPSP "
628 "Model.IETF|ESPTransform.UseReplayPrevention" }]
629 boolean UseReplayPrevention;
630
631 tony 1.1 [Description (
632 "ReplayPreventionWindowsSize specifies, in bits, the length "
633 "of the sliding window used by the replay prevention "
634 "mechanism. The value of this property is meaningless if "
635 "UseReplayPrevention is false. The window size MUST be a "
636 "power of 2."),
637 Units ( "Bits" ),
638 MappingStrings { "IPSP "
639 "Model.IETF|ESPTransform.ReplayPreventionWindowSize" }]
640 uint32 ReplayPreventionWindowSize;
641 };
642
643
644 // ==================================================================
645 // IPCOMPTransform
646 // ==================================================================
647 [Version ( "2.8.0" ), Description (
648 "The IPCOMPTransform specifies the IP compression algorithm to "
649 "use for payload of the Security Association."),
650 MappingStrings { "IPSP Model.IETF|IPCOMPTransform" }]
651 class CIM_IPCOMPTransform : CIM_SATransform {
652 tony 1.1
653 [Description (
654 "The Algorithm is an enumeration that designates the IPCOMP "
655 "compression algorithm to use. Its values are generated from "
656 "RFC2407, Section 4.4.5. Note that the values are modified "
657 "from the RFC, since 'Other' must be taken into account."),
658 ValueMap { "1", "2", "3", "4" },
659 Values { "Other", "Vendor Algorithm/OUI", "DEFLATE", "LZS" },
660 MappingStrings { "IPSP Model.IETF|IPCOMPTransform.Algorithm",
661 "RFC2407.IETF|Section 4.4.5" },
662 ModelCorrespondence { "CIM_IPCOMPTransform.PrivateAlgorithm",
663 "CIM_IPCOMPTransform.OtherAlgorithm" }]
664 uint16 Algorithm;
665
666 [Description (
667 "Description of the compression algorithm when the value 1 "
668 "(\"Other\") is specified for the property, Algorithm."),
669 ModelCorrespondence { "CIM_IPCOMPTransform.Algorithm" }]
670 string OtherAlgorithm;
671
672 [Description (
673 tony 1.1 "A private compression algorithm, used when the Algorithm "
674 "property is set to 2, \"Vendor Algorithm/OUI\"."),
675 MappingStrings { "IPSP "
676 "Model.IETF|IPCOMPTransform.PrivateAlgorithm" },
677 ModelCorrespondence { "CIM_IPCOMPTransform.Algorithm" }]
678 uint32 PrivateAlgorithm;
679
680 [Description (
681 "DictionarySize is an optional field that specifies the log2 "
682 "maximum size of the dictionary for the compression "
683 "algorithm. For dictionaries that have a fixed size, this "
684 "value is ignored."),
685 MappingStrings { "IPSP "
686 "Model.IETF|IPCOMPTransform.DictionarySize" }]
687 uint16 DictionarySize;
688 };
689
690
691 // ===================================================================
692 // end of file
693 // ===================================================================
|