1 a.dunfey 1.1 // ===================================================================
2 // Title: CIM_IPsecPolicy
3 // $State: Exp $
4 // $Date: 2004/11/29 18:31:41 $
5 // $RCSfile: CIM_IPsecPolicy.mof,v $
6 // $Revision: 1.5.2.3 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 a.dunfey 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 a.dunfey 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: This file defines the classes to negotiate
47 // an IPsec security association.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ==================================================================
53 // This model was originally introduced in CIM V2.6 Preliminary and
54 // was not promoted to Final status. The following CR updates the
55 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
56 // Working Group.
57 //
58 // Change Log for v2.8 Preliminary
59 // CR1026 - Modifications to the V2.6 MOF for IPsec management
60 // CR1105 - Generalize the SACondition class to be FilterCondition
61 // & move the classes to the Policy model.
62 // Generalize SAConditionInRule to be PacketConditionInSARule.
63 // Change Log for v2.8 Final
64 a.dunfey 1.1 //
65 // ===================================================================
66
67 #pragma Locale ("en_US")
68
69 // ==================================================================
70 // Compile prerequisite: Core, Policy and Network MOFs
71 // ==================================================================
72
73
74 // ==================================================================
75 // IPsec Negotiation Policy Rules
76 // ==================================================================
77
78 // ==================================================================
79 // SARule
80 // ==================================================================
81 [Version ( "2.8.0" ), Description (
82 "SARule is a base class for defining IKE and IPsec Rules. "
83 "Although concrete (because it subclasses from a concrete "
84 "class), it is not intended to be instantiated. It defines a "
85 a.dunfey 1.1 "common connection point for associating conditions and actions "
86 "for both types of rules. Note that each valid PolicyGroup "
87 "containing SARules MUST use a unique priority number for the "
88 "Rule in the aggregation, PolicySetComponent.Priority."),
89 MappingStrings { "IPSP Policy Model.IETF|SARule" }]
90 class CIM_SARule : CIM_PolicyRule {
91
92 [Description (
93 "LimitNegotiation is used as part of processing either a key "
94 "exchange or IPsec Rule. Before proceeding with either a "
95 "phase 1 or a phase 2 negotiation, this property is checked "
96 "to determine if the negotiation role of the Rule matches "
97 "that defined for the negotiation being undertaken (e.g., "
98 "Initiator, Responder, or Both). If this check fails, then "
99 "the negotiation is stopped. Note that this only applies to "
100 "new negotiations and has no effect on either renegotiation "
101 "or refresh operations with peers for which an established "
102 "Security Association already exists."),
103 ValueMap { "1", "2", "3" },
104 Values { "Initiator-Only", "Responder-Only", "Either" },
105 MappingStrings { "IPSP Policy "
106 a.dunfey 1.1 "Model.IETF|SARule.LimitNegotiation" }]
107 uint16 LimitNegotiation;
108 };
109
110
111 // ==================================================================
112 // RuleThatGeneratedSA
113 // ==================================================================
114 [Association, Version ( "2.8.0" ), Description (
115 "RuleThatGeneratedSA associates a SecurityAssociationEndpoint "
116 "with the SARule used to generate (or negotiate) it.")]
117 class CIM_RuleThatGeneratedSA : CIM_Dependency {
118
119 [Override ( "Antecedent" ), Min ( 0 ), Max ( 1 ), Description (
120 "SARule that led to the Security Association.")]
121 CIM_SARule REF Antecedent;
122
123 [Override ( "Dependent" ), Description (
124 "SecurityAssociationEndpoint created using the rule.")]
125 CIM_SecurityAssociationEndpoint REF Dependent;
126 };
127 a.dunfey 1.1
128
129 // ==================================================================
130 // IKERule
131 // ==================================================================
132 [Version ( "2.8.0" ), Description (
133 "IKERule contains the Conditions and Actions for IKE phase 1 "
134 "negotiations or to specify static actions such as Discard."),
135 MappingStrings { "IPSP Policy Model.IETF|IKERule" }]
136 class CIM_IKERule : CIM_SARule {
137
138 [Description (
139 "An IP endpoint may have multiple identities for use in "
140 "different situations. The IdentityContext property "
141 "specifies the specific context/identities which pertain to "
142 "this Rule. The property's function is similar to that of "
143 "PolicyRoles. A context may be a VPN name or other "
144 "identifier that selects the appropriate identity. \n"
145 "\n"
146 "IdentityContext is an array of strings. The multiple values "
147 "in the array are logically ORed together in matching an "
148 a.dunfey 1.1 "IPNetworkIdentity's IdentityContext. Each value in the "
149 "array may be a composition of multiple context names. When "
150 "an array value is a composition, the individual values are "
151 "logically ANDed together for evaluation purposes. The "
152 "syntax is: \n"
153 "<ContextName>[&&<ContextName>]* \n"
154 "where the individual context names appear in alphabetical "
155 "order (according to the collating sequence for UCS-2). So, "
156 "for example, the values 'CompanyXVPN', "
157 "'CompanyYVPN&&TopSecret', 'CompanyZVPN&&Confidential' are "
158 "possible contexts for a Rule. They are matched against an "
159 "IPNetworkIdentity's IdentityContext. Any of the values may "
160 "indicate a match and select an Identity, since the values "
161 "in the array are logically ORed."),
162 MappingStrings { "IPSP Policy "
163 "Model.IETF|IKERule.IdentityContexts" },
164 ModelCorrespondence { "CIM_IdentityContext" }]
165 string IdentityContexts[];
166 };
167
168
169 a.dunfey 1.1 // ==================================================================
170 // IPsecRule
171 // ==================================================================
172 [Version ( "2.8.0" ), Description (
173 "IPsecRule contains the Conditions and Actions for phase 2 "
174 "negotiations or to specify static actions such as Discard."),
175 MappingStrings { "IPSP Policy Model.IETF|IPsecRule" }]
176 class CIM_IPsecRule : CIM_SARule {
177 };
178
179
180 // ==================================================================
181 // IPsecPolicyForSystem
182 // ==================================================================
183 [Association, Version ( "2.8.0" ), Description (
184 "IPsecPolicyForSystem associates a PolicyGroup with a specific "
185 "system (e.g., a host or a network device) - indicating that "
186 "this is the 'default' IPsec policy for that system. The "
187 "referenced PolicyGroup would be used for any "
188 "IPProtocolEndpoint's IPsec negotiations, UNLESS the "
189 "IPsecPolicyForEndpoint association is defined. "
190 a.dunfey 1.1 "IPsecPolicyForEndpoint indicates a more specific PolicyGroup "
191 "for IPsec negotiations for the endpoint."),
192 MappingStrings { "IPSP Policy Model.IETF|IPsecPolicyForSystem" }]
193 class CIM_IPsecPolicyForSystem : CIM_Dependency {
194
195 [Override ( "Antecedent" ), Description (
196 "A System to which the PolicyGroup applies."),
197 MappingStrings { "IPSP Policy "
198 "Model.IETF|IPsecPolicyForSystem.Antecedent" }]
199 CIM_System REF Antecedent;
200
201 [Override ( "Dependent" ), Min ( 0 ), Max ( 1 ), Description (
202 "The PolicyGroup that defines the 'default' IPsec "
203 "negotiation policy for the System."),
204 MappingStrings { "IPSP Policy "
205 "Model.IETF|IPsecPolicyForSystem.Dependent" }]
206 CIM_PolicyGroup REF Dependent;
207 };
208
209
210 // ==================================================================
211 a.dunfey 1.1 // IPsecPolicyForEndpoint
212 // ==================================================================
213 [Association, Version ( "2.8.0" ), Description (
214 "IPsecPolicyForEndpoint associates a PolicyGroup with a "
215 "specific IP endpoint. This association's policies take "
216 "priority over any PolicyGroup defined generically for the "
217 "hosting system. The latter is defined using the "
218 "IPsecPolicyForSystem association."),
219 MappingStrings { "IPSP Policy Model.IETF|IPsecPolicyForEndpoint" }]
220 class CIM_IPsecPolicyForEndpoint : CIM_Dependency {
221
222 [Override ( "Antecedent" ), Description (
223 "The IPProtocolEndpoint that identifies an interface to "
224 "which the PolicyGroup applies."),
225 MappingStrings { "IPSP Policy "
226 "Model.IETF|IPsecPolicyForEndpoint.Antecedent" }]
227 CIM_IPProtocolEndpoint REF Antecedent;
228
229 [Override ( "Dependent" ), Min ( 0 ), Max ( 1 ), Description (
230 "The PolicyGroup that defines the IPsec negotiation policy "
231 "for the Endpoint."),
232 a.dunfey 1.1 MappingStrings { "IPSP Policy "
233 "Model.IETF|IPsecPolicyForEndpoint.Dependent" }]
234 CIM_PolicyGroup REF Dependent;
235 };
236
237
238 // ==================================================================
239 // IPsec Negotiation Policy Conditions
240 // ==================================================================
241
242 // ==================================================================
243 // PacketConditionInSARule
244 // ==================================================================
245 [Association, Aggregation, Version ( "2.8.0" ), Description (
246 "PacketConditionInSARule aggregates an SARule with at least one "
247 "instance of PacketFilterCondition. This is a specialization of "
248 "the PolicyConditionInPolicyRule association."),
249 MappingStrings { "IPSP Policy Model.IETF|SAConditionInRule" }]
250 class CIM_PacketConditionInSARule : CIM_PolicyConditionInPolicyRule {
251
252 [Aggregate, Override ( "GroupComponent" ), Description (
253 a.dunfey 1.1 "An SARule subclass of PolicyRule."),
254 MappingStrings { "IPSP Policy "
255 "Model.IETF|SAConditionInRule.GroupComponent" }]
256 CIM_SARule REF GroupComponent;
257
258 [Override ( "PartComponent" ), Min ( 1 ), Description (
259 "An SACondition that is required for the SARule."),
260 MappingStrings { "IPSP Policy "
261 "Model.IETF|SAConditionInRule.PartComponent" }]
262 CIM_PacketFilterCondition REF PartComponent;
263 };
264
265
266 // ==================================================================
267 // IPsec Negotiation Policy Actions - Static and Negotiated
268 // ==================================================================
269
270 // ==================================================================
271 // SAAction
272 // ==================================================================
273 [Abstract, Version ( "2.8.0" ), Description (
274 a.dunfey 1.1 "SAAction is the base class for the various types of key "
275 "exchange or IPsec actions. It is abstract and used to "
276 "categorize the different types of actions of SARules."),
277 MappingStrings { "IPSP Policy Model.IETF|SAAction" }]
278 class CIM_SAAction : CIM_PolicyAction {
279
280 [Description (
281 "DoPacketLogging causes a log message to be generated when "
282 "the action is applied to a packet."),
283 MappingStrings { "IPSP Policy "
284 "Model.IETF|SAAction.DoPacketLogging" },
285 ModelCorrespondence {
286 "CIM_SecurityAssociationEndpoint.PacketLoggingActive" }]
287 boolean DoPacketLogging;
288 };
289
290
291 // ==================================================================
292 // SAStaticAction
293 // ==================================================================
294 [Version ( "2.8.0" ), Description (
295 a.dunfey 1.1 "SAStaticAction is the base class for both key exchange as well "
296 "as IPsec actions that require no negotiation. It is a concrete "
297 "class that can be aggregated with other subclasses of "
298 "PolicyAction (such as NetworkPacketAction) into a PolicyRule, "
299 "to describe how packets are handled throughout the lifetime of "
300 "the Security Association."),
301 MappingStrings { "IPSP Policy Model.IETF|SAStaticAction" }]
302 class CIM_SAStaticAction : CIM_SAAction {
303
304 [Description (
305 "LifetimeSeconds specifies how long the SA created from this "
306 "action should be used/exist. A value of 0 means an infinite "
307 "lifetime. A non-zero value is typically used in conjunction "
308 "with alternate SAActions performed when there is a "
309 "negotiation failure of some sort. \n"
310 "\n"
311 "Note: If the referenced SAStaticAction object IS-A "
312 "PreconfiguredSAAction (that is associated to several "
313 "SATransforms), then the actual lifetime of the Security "
314 "Association will be the lesser of the value of this "
315 "LifetimeSeconds property and of the value of the "
316 a.dunfey 1.1 "MaxLifetimeSeconds property of the associated SATransform."),
317 Units ( "Seconds" ),
318 MappingStrings { "IPSP Policy "
319 "Model.IETF|SAStaticAction.LifetimeSeconds" },
320 ModelCorrespondence {
321 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
322 uint64 LifetimeSeconds;
323 };
324
325
326 // ==================================================================
327 // PreconfiguredSAAction
328 // ==================================================================
329 [Version ( "2.8.0" ), Description (
330 "Subclasses of PreconfiguredSAAction are used to create SAs "
331 "using preconfigured, hard-wired algorithms and keys. No "
332 "negotiation is necessary. Note that this class is defined as "
333 "concrete, since its superclass is also concrete. However, it "
334 "should not be directly instantiated, but one of its subclasses "
335 "used instead. \n"
336 "\n"
337 a.dunfey 1.1 "Also note that: \n"
338 "- The SPI for a preconfigured SA action is contained in the "
339 "association, TransformOfPreconfiguredAction. \n"
340 "- The session key (if applicable) is contained in an instance "
341 "of SharedSecret. For an instance of the SharedSecret class: "
342 "The session key is stored in the Secret property; the property "
343 "protocol contains one of the values, \"ESP-encrypt\", "
344 "\"ESP-auth\" or \"AH\"; and, the class' property algorithm "
345 "contains the algorithm used to protect the secret. (The latter "
346 "can be \"PLAINTEXT\" if the IPsec entity has no secret "
347 "storage.) The value of the class' RemoteID property is the "
348 "concatenation of the remote IPsec peer IP address in dotted "
349 "decimal, of the character \"/\", of \"IN\" (or respectively "
350 "\"OUT\") for inbound/outbound SAs, of the character \"/\" and "
351 "of the hexadecimal representation of the SPI."),
352 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction" }]
353 class CIM_PreconfiguredSAAction : CIM_SAStaticAction {
354
355 [Description (
356 "LifetimeKilobytes defines a traffic limit in kilobytes that "
357 "can be consumed before the SA is deleted. A value of zero "
358 a.dunfey 1.1 "(the default) indicates that there is no lifetime "
359 "associated with this action (i.e., infinite lifetime). A "
360 "non-zero value is used to indicate that after this number "
361 "of kilobytes has been consumed the SA must be deleted. \n"
362 "\n"
363 "Note that the actual lifetime of the preconfigured SA will "
364 "be the lesser of the value of this LifetimeKilobytes "
365 "property and the value of the MaxLifetimeKilobytes property "
366 "of the associated SATransform. Also note that some SA "
367 "negotiation protocols (such as IKE) can negotiate the "
368 "lifetime as an arbitrary length field, it is assumed that a "
369 "64-bit integer will be sufficient."),
370 Units ( "KiloBytes" ),
371 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction."
372 "LifetimeKilobytes" },
373 ModelCorrespondence {
374 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
375 uint64 LifetimeKilobytes;
376 };
377
378
379 a.dunfey 1.1 // ==================================================================
380 // TransformOfPreconfiguredAction
381 // ==================================================================
382 [Association, Version ( "2.8.0" ), Description (
383 "TransformOfPreconfiguredAction defines the transforms used by "
384 "a preconfigured IPsec action. Two, four or six SATransforms "
385 "can be associated to a PreconfiguredSAAction (applied to the "
386 "inbound and outbound traffic, as indicated by the Direction "
387 "property of this association). The order of application of the "
388 "SATransforms is implicitly defined in RFC2401."),
389 MappingStrings { "IPSP Policy "
390 "Model.IETF|TransformOfPreconfiguredAction" }]
391 class CIM_TransformOfPreconfiguredAction : CIM_Dependency {
392
393 [Override ( "Antecedent" ), Min ( 2 ), Max ( 6 ), Description (
394 "This defines the type of transform used by the referenced "
395 "PreconfiguredSAAction. A minimum of 2 and maximum of 6 "
396 "transforms can be defined, for the inbound/outbound "
397 "directions, representing AH, ESP, and/or an IPCOMP "
398 "transforms."),
399 MappingStrings { "IPSP Policy Model.IETF|"
400 a.dunfey 1.1 "TransformOfPreconfiguredAction.Antecedent" }]
401 CIM_SATransform REF Antecedent;
402
403 [Override ( "Dependent" ), Description (
404 "This defines the PreconfiguredSAAction which uses the AH, "
405 "ESP, and/or IPCOMP transforms."),
406 MappingStrings { "IPSP Policy Model.IETF|"
407 "TransformOfPreconfiguredAction.Dependent" }]
408 CIM_PreconfiguredSAAction REF Dependent;
409
410 [Description (
411 "The SPI property specifies the security parameter index to "
412 "be used by the pre-configured action for the associated "
413 "transform."),
414 MappingStrings { "IPSP Policy Model.IETF|"
415 "TransformOfPreconfiguredAction.SPI" },
416 ModelCorrespondence { "CIM_IPsecSAEndpoint.SPI" }]
417 uint32 SPI;
418
419 [Description (
420 "InboundDirection specifies whether the SA applies to "
421 a.dunfey 1.1 "inbound (TRUE) or outbound (FALSE) traffic."),
422 MappingStrings { "IPSP Policy Model.IETF|"
423 "TransformOfPreconfiguredAction.Direction" },
424 ModelCorrespondence { "CIM_IPsecSAEndpoint.InboundDirection" }]
425 boolean InboundDirection;
426 };
427
428
429 // ==================================================================
430 // PreconfiguredTransportAction
431 // ==================================================================
432 [Version ( "2.8.0" ), Description (
433 "PreconfiguredTransportAction is used to create transport-mode "
434 "SAs using preconfigured, hard-wired algorithms and keys. Note "
435 "that the SPI for a preconfigured SA action is contained in the "
436 "association, TransformOfPreconfiguredAction."),
437 MappingStrings { "IPSP Policy "
438 "Model.IETF|PreconfiguredTransportAction" }]
439 class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction {
440 };
441
442 a.dunfey 1.1
443 // ==================================================================
444 // PreconfiguredTunnelAction
445 // ==================================================================
446 [Version ( "2.8.0" ), Description (
447 "PreconfiguredTunnelAction is used to create tunnel-mode SAs "
448 "using preconfigured, hard-wired algorithms and keys. Note that "
449 "the SPI for a preconfigured SA action is contained in the "
450 "association, TransformOfPreconfiguredAction."),
451 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredTunnelAction"
452 }]
453 class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction {
454
455 [Description (
456 "DFHandling controls how the Don't Fragment bit is managed "
457 "by the tunnel."),
458 ValueMap { "2", "3", "4" },
459 Values { "Copy from Internal to External IP Header",
460 "Set DF Bit in External Header to 1",
461 "Set DF Bit in External Header to 0" },
462 MappingStrings { "IPSP Policy Model.IETF|"
463 a.dunfey 1.1 "PreconfiguredTunnelAction.DFHandling" },
464 ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }]
465 uint16 DFHandling;
466 };
467
468
469 // ==================================================================
470 // PeerGatewayForPreconfiguredTunnel
471 // ==================================================================
472 [Association, Version ( "2.8.0" ), Description (
473 "PeerGatewayForPreconfiguredTunnel identifies at most one "
474 "security gateway be used in constructing a preconfigured "
475 "tunnel. A security gateway is simply a particular instance of "
476 "RemoteServiceAccessPoint."),
477 MappingStrings { "IPSP Policy "
478 "Model.IETF|PeerGatewayForPreconfiguredTunnel" }]
479 class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency {
480
481 [Override ( "Antecedent" ), Max ( 1 ), Description (
482 "Security gateway for the preconfigured SA."),
483 MappingStrings { "IPSP Policy Model.IETF|"
484 a.dunfey 1.1 "PeerGatewayForPreconfiguredTunnel.Antecedent" }]
485 CIM_RemoteServiceAccessPoint REF Antecedent;
486
487 [Override ( "Dependent" ), Description (
488 "The PreconfiguredTunnelAction that requires a security "
489 "gateway."),
490 MappingStrings { "IPSP Policy Model.IETF|"
491 "PeerGatewayForPreconfiguredTunnel.Dependent" }]
492 CIM_PreconfiguredTunnelAction REF Dependent;
493 };
494
495
496 // ==================================================================
497 // SANegotiationAction
498 // ==================================================================
499 [Abstract, Version ( "2.8.0" ), Description (
500 "SANegotiationAction is the base class for negotiated SAs. It "
501 "is abstract, specifying the common parameters that control the "
502 "IPsec phase 1 and phase 2 negotiations."),
503 MappingStrings { "IPSP Policy Model.IETF|SANegotiationAction",
504 "IPSP Policy Model.IETF|IKENegotiationAction" }]
505 a.dunfey 1.1 class CIM_SANegotiationAction : CIM_SAAction {
506
507 [Description (
508 "MinLifetimeSeconds prevents certain denial of service "
509 "attacks where the peer requests an arbitrarily low lifetime "
510 "value, causing renegotiations with expensive Diffie-Hellman "
511 "operations. The property specifies the minimum lifetime, in "
512 "seconds, that will be accepted from the peer. A value of "
513 "zero (the default) indicates that there is no minimum "
514 "value. A non-zero value specifies the minimum seconds "
515 "lifetime."),
516 Units ( "Seconds" ),
517 MappingStrings { "IPSP Policy Model.IETF|"
518 "IKENegotiationAction.MinLifetimeSeconds" },
519 ModelCorrespondence {
520 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
521 uint64 MinLifetimeSeconds = 0;
522
523 [Description (
524 "IdleDurationSeconds is the time an SA can remain idle "
525 "(i.e., no traffic protected using the security association) "
526 a.dunfey 1.1 "before it is automatically deleted. The default (zero) "
527 "value indicates that there is no idle duration timer and "
528 "that the SA is deleted based upon the SA seconds and "
529 "kilobyte lifetimes. Any non-zero value indicates the number "
530 "of seconds that the SA may remain unused."),
531 Units ( "Seconds" ),
532 MappingStrings { "IPSP Policy Model.IETF|"
533 "IKENegotiationAction.IdleDurationSeconds" },
534 ModelCorrespondence {
535 "CIM_SecurityAssociationEndpoint.IdleDurationSeconds" }]
536 uint64 IdleDurationSeconds = 0;
537
538 [Description (
539 "MinLifetimeKilobytes prevents certain denial of service "
540 "attacks where the peer requests an arbitrarily low lifetime "
541 "value, causing renegotiations with expensive Diffie-Hellman "
542 "operations. The property specifies the minimum lifetime, in "
543 "kilobytes, that will be accepted from the peer. A value of "
544 "zero (the default) indicates that there is no minimum "
545 "value. A non-zero value specifies the minimum kilobytes "
546 "lifetime. Note that there has been considerable debate "
547 a.dunfey 1.1 "regarding the usefulness of applying kilobyte lifetimes to "
548 "phase 1 security associations, so it is likely that this "
549 "property will only apply to the subclass, IPsecAction."),
550 Units ( "KiloBytes" ),
551 MappingStrings { "IPSP Policy Model.IETF|"
552 "IKENegotiationAction.MinLifetimeKilobytes" },
553 ModelCorrespondence {
554 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
555 uint64 MinLifetimeKilobytes = 0;
556 };
557
558
559 // ==================================================================
560 // IKEAction
561 // ==================================================================
562 [Version ( "2.8.0" ), Description (
563 "IKEAction specifies the parameters to use for an IPsec IKE "
564 "phase 1 negotiation."),
565 MappingStrings { "IPSP Policy Model.IETF|IKEAction" }]
566 class CIM_IKEAction : CIM_SANegotiationAction {
567
568 a.dunfey 1.1 [Description (
569 "The ExchangeMode designates the mode IKE should use for its "
570 "key negotiations."),
571 ValueMap { "2", "3", "4" },
572 Values { "Base", "Main", "Aggressive" },
573 MappingStrings { "IPSP Policy "
574 "Model.IETF|IKEAction.ExchangeMode" }]
575 uint16 ExchangeMode;
576
577 [Description (
578 "UseIKEIdentityType specifies what network identity type "
579 "should be used when negotiating with the peer. It is used "
580 "in conjunction with the available IPNetworkIdentity "
581 "instances, that are associated with an IPProtocolEndpoint."),
582 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
583 "11", "12", "..", "0x8000.." },
584 Values { "Other", "IPV4 Address", "FQDN", "User FQDN",
585 "IPV4 Subnet Address", "IPV6 Address", "IPV6 Subnet Address",
586 "IPV4 Address Range", "IPV6 Address Range", "DER ASN1 DN",
587 "DER ASN1 GN", "KEY ID", "DMTF Reserved", "Vendor Reserved" },
588 MappingStrings { "IPSP Policy "
589 a.dunfey 1.1 "Model.IETF|IKEAction.UseIKEIdentityType",
590 "RFC2407.IETF|Section 4.6.2.1" },
591 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityType" }]
592 uint16 UseIKEIdentityType;
593
594 [Description (
595 "VendorID specifies the value to be used in the Vendor ID "
596 "payload. An empty string (the default) means that the "
597 "Vendor ID payload will not be generated or accepted. A "
598 "non-NULL value means that a Vendor ID payload will be "
599 "generated (when acting as an initiator) or is expected "
600 "(when acting as a responder)."),
601 MappingStrings { "IPSP Policy Model.IETF|IKEAction.VendorID" }]
602 string VendorID = "";
603
604 [Description (
605 "When IKEAction.ExchangeMode is set to \"Aggressive\" (4), "
606 "this property specifies the key exchange groupID to use in "
607 "the first packets of the phase 1 negotiation. This property "
608 "is ignored unless the ExchangeMode is 'aggressive'. If the "
609 "GroupID number is from the vendor- specific range "
610 a.dunfey 1.1 "(32768-65535), the VendorID qualifies the group number. "
611 "Well-known group identifiers from RFC2412, Appendix E, are: "
612 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
613 "3='Elliptic Curve Group with 155 bit field element', Group "
614 "4='Large Elliptic Curve Group with 185 bit field element', "
615 "and Group 5='1536 bit prime'."),
616 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
617 Values { "No Group/Non-Diffie-Hellman Exchange",
618 "DH-768 bit prime", "DH-1024 bit prime",
619 "EC2N-155 bit field element", "EC2N-185 bit field element",
620 "DH-1536 bit prime", "Standard Group - Reserved",
621 "Vendor Reserved" },
622 MappingStrings { "IPSP Policy "
623 "Model.IETF|IKEAction.AggressiveModeGroupID",
624 "RFC2412.IETF|Appendix E" },
625 ModelCorrespondence { "CIM_IKEAction.VendorID" }]
626 uint16 AggressiveModeGroupID;
627 };
628
629
630 // ==================================================================
631 a.dunfey 1.1 // IPsecAction
632 // ==================================================================
633 [Version ( "2.8.0" ), Description (
634 "IPsecAction specifies the parameters to use for an IPsec phase "
635 "2 negotiation."),
636 MappingStrings { "IPSP Policy Model.IETF|IPsecAction" }]
637 class CIM_IPsecAction : CIM_SANegotiationAction {
638
639 [Description (
640 "UsePFS indicates whether perfect forward secrecy is "
641 "required when refreshing keys."),
642 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.UsePFS" },
643 ModelCorrespondence { "CIM_IPsecSAEndpoint.PFSInUse" }]
644 boolean UsePFS;
645
646 [Description (
647 "UsePhase1Group indicates that the phase 2 GroupId should be "
648 "the same as that used in the phase 1 key exchange. If "
649 "UsePFS is False, then this property is ignored. Note that a "
650 "value of False indicates that the property GroupId will "
651 "contain the key exchange group to use for phase 2."),
652 a.dunfey 1.1 MappingStrings { "IPSP Policy "
653 "Model.IETF|IPsecAction.UseIKEGroup" }]
654 boolean UsePhase1Group;
655
656 [Description (
657 "GroupId specifies the PFS group ID to use. This value is "
658 "only used if PFS is True and UsePhase1Group is False. If "
659 "the GroupID number is from the vendor-specific range "
660 "(32768-65535), the VendorID qualifies the group number. "
661 "Well-known group identifiers from RFC2412, Appendix E, are: "
662 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
663 "3='Elliptic Curve Group with 155 bit field element', Group "
664 "4='Large Elliptic Curve Group with 185 bit field element', "
665 "and Group 5='1536 bit prime'."),
666 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
667 Values { "No Group/Non-Diffie-Hellman Exchange",
668 "DH-768 bit prime", "DH-1024 bit prime",
669 "EC2N-155 bit field element", "EC2N-185 bit field element",
670 "DH-1536 bit prime", "Standard Group - Reserved",
671 "Vendor Reserved" },
672 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.GroupID",
673 a.dunfey 1.1 "RFC2412.IETF|Appendix E" },
674 ModelCorrespondence { "CIM_IPsecAction.VendorID",
675 "CIM_IKESAEndpoint.GroupID" }]
676 uint16 GroupId;
677
678 [Description (
679 "The property VendorID is used together with the property "
680 "GroupID (when it is in the vendor-specific range) to "
681 "identify the key exchange group. VendorID is ignored unless "
682 "UsePFS is true, AND UsePhase1Group is False, AND GroupID is "
683 "in the vendor-specific range (32768-65535)."),
684 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.VendorID" },
685 ModelCorrespondence { "CIM_IPsecAction.GroupId",
686 "CIM_IKESAEndpoint.VendorID" }]
687 string VendorID;
688
689 [Description (
690 "The property Granularity is an enumeration that specifies "
691 "how the selector for the SA should be derived from the "
692 "traffic that triggered the negotiation. Its values are: \n"
693 "1=Other; See the OtherGranularity property for more "
694 a.dunfey 1.1 "information \n"
695 "2=Subnet; The source and destination subnet masks are used "
696 "\n3=Address; The source and destination IP addresses of the "
697 "triggering packet are used \n"
698 "4=Protocol; The source and destination IP addresses and the "
699 "IP protocol of the triggering packet are used \n"
700 "5=Port; The source and destination IP addresses, IP "
701 "protocol and the source and destination layer 4 ports of "
702 "the triggering packet are used."),
703 ValueMap { "1", "2", "3", "4", "5" },
704 Values { "Other", "Subnet", "Address", "Protocol", "Port" },
705 MappingStrings { "IPSP Policy "
706 "Model.IETF|IPsecAction.Granularity" },
707 ModelCorrespondence { "CIM_IPsecAction.OtherGranularity" }]
708 uint16 Granularity;
709
710 [Description (
711 "Description of the granularity when the value 1 (\"Other\") "
712 "is specified for the property, Granularity."),
713 ModelCorrespondence { "CIM_IPsecAction.Granularity" }]
714 string OtherGranularity;
715 a.dunfey 1.1 };
716
717
718 // ==================================================================
719 // IPsecTransportAction
720 // ==================================================================
721 [Version ( "2.8.0" ), Description (
722 "IPsecTransportAction is used to specify that a transport-mode "
723 "SA should be negotiated."),
724 MappingStrings { "IPSP Policy Model.IETF|IPsecTransportAction" }]
725 class CIM_IPsecTransportAction : CIM_IPsecAction {
726 };
727
728
729 // ==================================================================
730 // IPsecTunnelAction
731 // ==================================================================
732 [Version ( "2.8.0" ), Description (
733 "IPsecTunnelAction is used to specify that a tunnel-mode SA "
734 "should be negotiated."),
735 MappingStrings { "IPSP Policy Model.IETF|IPsecTunnelAction" }]
736 a.dunfey 1.1 class CIM_IPsecTunnelAction : CIM_IPsecAction {
737
738 [Description (
739 "DFHandling controls how the Don't Fragment bit is managed "
740 "by the tunnel."),
741 ValueMap { "2", "3", "4" },
742 Values { "Copy from Internal to External IP Header",
743 "Set DF Bit in External Header to 1",
744 "Set DF Bit in External Header to 0" },
745 MappingStrings { "IPSP Policy Model.IETF|"
746 "PreconfiguredTunnelAction.DFHandling" },
747 ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }]
748 uint16 DFHandling;
749 };
750
751
752 // ==================================================================
753 // PeerGatewayForTunnel
754 // ==================================================================
755 [Association, Version ( "2.8.0" ), Description (
756 "PeerGatewayForTunnel identifies an ordered list of security "
757 a.dunfey 1.1 "gateways to be used in negotiating and constructing a tunnel. "
758 "A security gateway is simply a particular instance of "
759 "RemoteServiceAccessPoint."),
760 MappingStrings { "IPSP Policy Model.IETF|PeerGatewayForTunnel" }]
761 class CIM_PeerGatewayForTunnel : CIM_Dependency {
762
763 [Override ( "Antecedent" ), Description (
764 "The security gateway for the SA. Note that the absense of "
765 "this association indicates that: \n"
766 "- When acting as a responder, IKE will accept phase 1 "
767 "negotiations with any other security gateway \n"
768 "- When acting as an initiator, IKE will use the destination "
769 "IP address (of the IP packets which triggered the SARule) "
770 "as the IP address of the peer IKE entity."),
771 MappingStrings { "IPSP Policy "
772 "Model.IETF|PeerGatewayForTunnel.Antecedent" }]
773 CIM_RemoteServiceAccessPoint REF Antecedent;
774
775 [Override ( "Dependent" ), Description (
776 "The IPsecTunnelAction that requires a security gateway."),
777 MappingStrings { "IPSP Policy "
778 a.dunfey 1.1 "Model.IETF|PeerGatewayForTunnel.Dependent" }]
779 CIM_IPsecTunnelAction REF Dependent;
780
781 [Description (
782 "SequenceNumber indicates the ordering to be used when "
783 "selecting a PeerGateway instance for an IPsecTunnelAction. "
784 "Lower values are evaluated first."),
785 MappingStrings { "IPSP Policy Model.IETF|"
786 "PeerGatewayForTunnel.SequenceNumber" }]
787 uint16 SequenceNumber;
788 };
789
790
791 // ==================================================================
792 // IPsec phase 1 and 2 Proposals to be negotiated
793 // ==================================================================
794
795 // ==================================================================
796 // SAProposal
797 // ==================================================================
798 [Abstract, Version ( "2.8.0" ), Description (
799 a.dunfey 1.1 "SAProposal is a base class defining the common properties of, "
800 "and anchoring common associations for, IPsec phase 1 and phase "
801 "2 proposals. It is defined as a kind of ScopedSettingData "
802 "(scoped by a ComputerSystem or AdminDomain), since its "
803 "subclasses define sets of IPsec properties that MUST be "
804 "applied together, if negotiated. This subclassing is different "
805 "than that defined in IETF's IPSP Policy draft - where it is "
806 "subclassed from Policy. The definition as SettingData is more "
807 "consistent with the application of the properties as a set, to "
808 "the negotiated Security Association. To indicate that 'this' "
809 "proposaltransform is negotiated for a Security Association, "
810 "use the ElementSettingData to associate the proposal and the "
811 "SA."),
812 MappingStrings { "IPSP Policy Model.IETF|SAProposal" }]
813 class CIM_SAProposal : CIM_ScopedSettingData {
814 };
815
816
817 // ==================================================================
818 // ContainedProposal
819 // ==================================================================
820 a.dunfey 1.1 [Association, Aggregation, Version ( "2.8.0" ), Description (
821 "ContainedProposal holds an ordered list of SAProposals that "
822 "make up an SANegotiationAction. If the referenced "
823 "NegotiationAction is an IKEAction, then the SAProposal objects "
824 "MUST be IKEProposals. If the referenced NegotiationAction "
825 "object is an IPsecTransport/TunnelAction, then the referenced "
826 "SAProposal objects MUST be IPsecProposals."),
827 MappingStrings { "IPSP Policy Model.IETF|ContainedProposal" }]
828 class CIM_ContainedProposal : CIM_Component {
829
830 [Aggregate, Override ( "GroupComponent" ), Description (
831 "The SANegotiationAction containing a list of SAProposals."),
832 MappingStrings { "IPSP Policy "
833 "Model.IETF|ContainedProposal.GroupComponent" }]
834 CIM_SANegotiationAction REF GroupComponent;
835
836 [Override ( "PartComponent" ), Description (
837 "The SAProposal in this negotiation action."),
838 MappingStrings { "IPSP Policy "
839 "Model.IETF|ContainedProposal.PartComponent" }]
840 CIM_SAProposal REF PartComponent;
841 a.dunfey 1.1
842 [Description (
843 "SequenceNumber indicates the ordering to be used when "
844 "chosing from among the proposals. Lower-valued proposals "
845 "are preferred over proposals with higher values. For "
846 "ContainedProposals that reference the same "
847 "SANegotiationAction, SequenceNumber values MUST be unique."),
848 MappingStrings { "IPSP Policy "
849 "Model.IETF|ContainedProposal.SequenceNumber" }]
850 uint16 SequenceNumber;
851 };
852
853
854 // ==================================================================
855 // IKEProposal
856 // ==================================================================
857 [Version ( "2.8.0" ), Description (
858 "IKEProposal contains the parameters necessary to drive the "
859 "phase 1 IKE negotiation."),
860 MappingStrings { "IPSP Policy Model.IETF|IKEProposal" }]
861 class CIM_IKEProposal : CIM_SAProposal {
862 a.dunfey 1.1
863 [Description (
864 "MaxLifetimeSeconds specifies the maximum time the IKE "
865 "message sender proposes for an SA to be considered valid "
866 "after it has been created. A value of zero indicates that "
867 "the default of 8 hours be used. A non-zero value indicates "
868 "the maximum seconds lifetime."),
869 Units ( "Seconds" ),
870 MappingStrings { "IPSP Policy "
871 "Model.IETF|IKEProposal.MaxLifetimeSeconds" },
872 ModelCorrespondence {
873 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
874 uint64 MaxLifetimeSeconds;
875
876 [Description (
877 "MaxLifetimeKilobytes specifies the maximum kilobyte "
878 "lifetime the IKE message sender proposes for an SA to be "
879 "considered valid after it has been created. A value of zero "
880 "(the default) indicates that there should be no maximum "
881 "kilobyte lifetime. A non-zero value specifies the desired "
882 "kilobyte lifetime."),
883 a.dunfey 1.1 Units ( "KiloBytes" ),
884 MappingStrings { "IPSP Policy "
885 "Model.IETF|IKEProposal.MaxLifetimeKilobytes" },
886 ModelCorrespondence {
887 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
888 uint64 MaxLifetimeKilobytes;
889
890 [Description (
891 "CipherAlgorithm is an enumeration that specifies the "
892 "proposed encryption algorithm. The list of algorithms was "
893 "generated from Appendix A of RFC2409. Note that the "
894 "enumeration is different than the RFC list and aligns with "
895 "the values in IKESAEndpoint.CipherAlgorithm."),
896 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8..65000",
897 "65001..65535" },
898 Values { "Other", "DES", "IDEA", "Blowfish", "RC5", "3DES",
899 "CAST", "DMTF/IANA Reserved", "Vendor Reserved" },
900 MappingStrings { "IPSP Policy "
901 "Model.IETF|IKEProposal.CipherAlgorithm",
902 "RFC2409.IETF|Appendix A" },
903 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm",
904 a.dunfey 1.1 "CIM_IKEProposal.OtherCipherAlgorithm" }]
905 uint16 CipherAlgorithm;
906
907 [Description (
908 "Description of the encryption algorithm when the value 1 "
909 "(\"Other\") is specified for the property, CipherAlgorithm."),
910 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm",
911 "CIM_IKEProposal.CipherAlgorithm" }]
912 string OtherCipherAlgorithm;
913
914 [Description (
915 "HashAlgorithm is an enumeration that specifies the proposed "
916 "hash function. The list of algorithms was generated from "
917 "Appendix A of RFC2409. Note that the enumeration is "
918 "different than the RFC list and aligns with the values in "
919 "IKESAEndpoint.HashAlgorithm."),
920 ValueMap { "1", "2", "3", "4", "5..65000", "65001..65535" },
921 Values { "Other", "MD5", "SHA-1", "Tiger", "DMTF/IANA Reserved",
922 "Vendor Reserved" },
923 MappingStrings { "IPSP Policy "
924 "Model.IETF|IKEProposal.HashAlgorithm",
925 a.dunfey 1.1 "RFC2409.IETF|Appendix A" },
926 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm",
927 "CIM_IKEProposal.OtherHashAlgorithm" }]
928 uint16 HashAlgorithm;
929
930 [Description (
931 "Description of the hash function when the value 1 "
932 "(\"Other\") is specified for the property, HashAlgorithm."),
933 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm",
934 "CIM_IKEProposal.HashAlgorithm" }]
935 string OtherHashAlgorithm;
936
937 [Description (
938 "AuthenticationMethod is an enumeration that specifies the "
939 "proposed authentication. The list of methods was generated "
940 "from Appendix A of RFC2409. Note that the enumeration is "
941 "different than the RFC list and aligns with the values in "
942 "IKESAEndpoint.AuthenticationMethod. There is one change to "
943 "the list - the value 65000 has special meaning. It is a "
944 "special value that indicates that this particular proposal "
945 "should be repeated once for each authentication method "
946 a.dunfey 1.1 "corresponding to credentials installed on the machine. For "
947 "example, if the system has a pre-shared key and an "
948 "public-key certificate, a proposal list would be "
949 "constructed which includes a proposal that specifies a "
950 "pre-shared key and a proposal for any of the public-key "
951 "certificates."),
952 ValueMap { "1", "2", "3", "4", "5", "6", "7..64999", "65000",
953 "65001..65535" },
954 Values { "Other", "Pre-shared Key", "DSS Signatures",
955 "RSA Signatures", "Encryption with RSA",
956 "Revised Encryption with RSA", "DMTF/IANA Reserved", "Any",
957 "Vendor Reserved" },
958 MappingStrings { "IPSP Policy "
959 "Model.IETF|IKEProposal.AuthenticationMethod",
960 "RFC2409.IETF|Appendix A" },
961 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod",
962 "CIM_IKEProposal.OtherAuthenticationMethod" }]
963 uint16 AuthenticationMethod;
964
965 [Description (
966 "Description of the method when the value 1 (\"Other\") is "
967 a.dunfey 1.1 "specified for the property, AuthenticationMethod."),
968 ModelCorrespondence {
969 "CIM_IKESAEndpoint.OtherAuthenticationMethod",
970 "CIM_IKEProposal.AuthenticationMethod" }]
971 string OtherAuthenticationMethod;
972
973 [Description (
974 "The property GroupId specifies the proposed phase 1 "
975 "security association key exchange group. This property is "
976 "ignored for all aggressive mode exchanges "
977 "(IKEAction.ExchangeMode = 4). If the GroupID number is from "
978 "the vendor-specific range (32768-65535), the property "
979 "VendorID qualifies the group number. Well-known group "
980 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
981 "prime', Group 2='1024 bit prime', Group 3 ='Elliptic Curve "
982 "Group with 155 bit field element', Group 4= 'Large Elliptic "
983 "Curve Group with 185 bit field element', and Group 5='1536 "
984 "bit prime'."),
985 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
986 Values { "No Group/Non-Diffie-Hellman Exchange",
987 "DH-768 bit prime", "DH-1024 bit prime",
988 a.dunfey 1.1 "EC2N-155 bit field element", "EC2N-185 bit field element",
989 "DH-1536 bit prime", "Standard Group - Reserved",
990 "Vendor Reserved" },
991 MappingStrings { "IPSP Policy Model.IETF|IKEProposal.GroupID",
992 "RFC2412.IETF|Appendix E" },
993 ModelCorrespondence { "CIM_IKESAEndpoint.GroupID",
994 "CIM_IKEProposal.VendorID" }]
995 uint16 GroupId;
996
997 [Description (
998 "VendorID identifies the vendor when the value of GroupID is "
999 "in the vendor-specific range, 32768 to 65535."),
1000 ModelCorrespondence { "CIM_IKESAEndpoint.VendorID",
1001 "CIM_IKEProposal.GroupId" }]
1002 string VendorID;
1003 };
1004
1005
1006 // ==================================================================
1007 // IPsecProposal
1008 // ==================================================================
1009 a.dunfey 1.1 [Version ( "2.8.0" ), Description (
1010 "The class IPsecProposal adds no new properties, but inherits "
1011 "proposal properties from SAProposal as well as associating the "
1012 "security association transforms necessary for building an "
1013 "IPsec proposal (see the class ContainedTransform)."),
1014 MappingStrings { "IPSP Policy Model.IETF|IPsecProposal" }]
1015 class CIM_IPsecProposal : CIM_SAProposal {
1016 };
1017
1018
1019 // ==================================================================
1020 // ContainedTransform
1021 // ==================================================================
1022 [Association, Aggregation, Version ( "2.8.0" ), Description (
1023 "ContainedTransform associates a proposal with a list of "
1024 "transforms. If multiple transforms of a given type are "
1025 "included in a proposal, these transforms are interpreted as "
1026 "alternatives -- i.e., logically ORed with each other. The "
1027 "order of preference is dictated by the SequenceNumber "
1028 "property. Sets of transforms of different types are logically "
1029 "ANDed. For example, a proposal based on two AH transforms and "
1030 a.dunfey 1.1 "three ESP transforms means one of the AH AND one of the ESP "
1031 "transforms MUST be chosen. Note that at least 1 transform MUST "
1032 "be aggregated into the proposal."),
1033 MappingStrings { "IPSP Policy Model.IETF|ContainedTransform" }]
1034 class CIM_ContainedTransform : CIM_Component {
1035
1036 [Aggregate, Override ( "GroupComponent" ), Description (
1037 "The Proposal containing the transforms."),
1038 MappingStrings { "IPSP Policy Model.IETF|"
1039 "ContainedTransform.GroupComponent" }]
1040 CIM_IPsecProposal REF GroupComponent;
1041
1042 [Override ( "PartComponent" ), Min ( 1 ), Description (
1043 "Transforms in the proposal."),
1044 MappingStrings { "IPSP Policy Model.IETF|"
1045 "ContainedTransform.PartComponent" }]
1046 CIM_SATransform REF PartComponent;
1047
1048 [Description (
1049 "SequenceNumber indicates the order of preference for "
1050 "SATransforms of the same type. Lower-valued transforms are "
1051 a.dunfey 1.1 "preferred over transforms of the same type with higher "
1052 "values. For ContainedTransforms (of the same type) that "
1053 "reference the same IPsecProposal, SequenceNumber values "
1054 "MUST be unique."),
1055 MappingStrings { "IPSP Policy Model.IETF|"
1056 "ContainedTransform.SequenceNumber" }]
1057 uint16 SequenceNumber;
1058 };
1059
1060
1061 // ===================================================================
1062 // end of file
1063 // ===================================================================
|