1 a.dunfey 1.1 // ===================================================================
2 // Title: Network_IPsec
3 // $State: Exp $
4 // $Date: 2004/12/02 18:12:58 $
5 // $RCSfile: Network_IPsec.mof,v $
6 // $Revision: 1.4.2.4 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 a.dunfey 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 a.dunfey 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: The Network Model extends the management concepts to
47 // represent protocol interfaces and network/protocol
48 // services. This file defines the classes to manage
49 // an IPsec security association.
50 //
51 // The object classes below are listed in an order that
52 // avoids forward references. Required objects, defined
53 // by other working groups, are omitted.
54 // ==================================================================
55 // This model was originally introduced in CIM V2.6 Preliminary and
56 // was not promoted to Final status. The following CR updates the
57 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
58 // Working Group.
59 // CR1026 - Modifications to the V2.6 MOF for IPsec management
60 // Change Log CIM V2.8
61 // CR1194 - Promote all classes to final
62 // CR1238 - Fix model correspondece reference problems in final version
63 //
64 a.dunfey 1.1 // ===================================================================
65
66 #pragma Locale ("en_US")
67
68
69 // ==================================================================
70 // Security Association Endpoints
71 // ==================================================================
72
73 // ==================================================================
74 // SecurityAssociationEndpoint
75 // ==================================================================
76 [Version ( "2.8.0" ), Description (
77 "SecurityAssociationEndpoint (SAEndpoint) represents the "
78 "endpoint of a secure connection. This is typically an IP "
79 "connection, although the model allows more flexibility than "
80 "just IP. The SecurityAssociationEndpoint is tied to an "
81 "IPProtocolEndpoint (or possibly other endpoint) using the "
82 "LogicalIdentity association. Note that an endpoint is defined "
83 "at both ends of the connection.")]
84 class CIM_SecurityAssociationEndpoint : CIM_ProtocolEndpoint {
85 a.dunfey 1.1
86 [Override ( "InstallDate" ), Description (
87 "InstallDate records when the SA (and its endpoint) was "
88 "created.")]
89 datetime InstallDate;
90
91 [Description (
92 "LifetimeSeconds specifies the maximum time that the SA will "
93 "be considered valid after it has been created. A value of "
94 "zero indicates that the default of 8 hours be used. A "
95 "non-zero value indicates the seconds lifetime."),
96 Units ( "Seconds" )]
97 uint64 LifetimeSeconds = 0;
98
99 [Write, Description (
100 "RefreshThresholdSecondsPercentage is the lifetime "
101 "percentage after which a new SA should be acquired, before "
102 "the existing SA expires. A random period may be added to a "
103 "calculated threshold to reduce network thrashing."),
104 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 )]
105 uint8 RefreshThresholdSecondsPercentage;
106 a.dunfey 1.1
107 [Description (
108 "IdleDurationSeconds specifies how long the SA can be idle "
109 "before it is deleted. The default value, 0, indicates that "
110 "there is no idle timeout period."),
111 Units ( "Seconds" )]
112 uint64 IdleDurationSeconds = 0;
113
114 [Description (
115 "LifetimeKilobytes specifies the maximum number of kilobytes "
116 "of data traffic to be protected by the SA. A value of zero "
117 "(the default) indicates that there should be no maximum "
118 "kilobyte lifetime. A non-zero value specifies the desired "
119 "kilobyte lifetime. The SA is deleted when the "
120 "LifetimeKilobyte value is exceeded."),
121 Units ( "KiloBytes" )]
122 uint64 LifetimeKilobytes = 0;
123
124 [Write, Description (
125 "RefreshThresholdKbytesPercentage is the lifetime percentage "
126 "of kilobytes processed, at which a new SA should be "
127 a.dunfey 1.1 "acquired. A random value may be added to the calculated "
128 "threshold to reduce network thrashing."),
129 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 )]
130 uint8 RefreshThresholdKbytesPercentage;
131
132 [Write, Description (
133 "PacketLoggingActive causes a log to be kept of traffic "
134 "processed by the SAEndpoint.")]
135 boolean PacketLoggingActive;
136 };
137
138
139 // ==================================================================
140 // FilterOfSecurityAssociation
141 // ==================================================================
142 [Association, Version ( "2.8.0" ), Description (
143 "FilterOfSecurityAssociation associates a network traffic "
144 "specification (i.e., a FilterList) with a SecurityAssociation "
145 "Endpoint, to which the filter list applies.")]
146 class CIM_FilterOfSecurityAssociation : CIM_Dependency {
147
148 a.dunfey 1.1 [Override ( "Antecedent" ), Max ( 1 ), Description (
149 "FilterList describing the traffic to be selected/matched.")]
150 CIM_FilterList REF Antecedent;
151
152 [Override ( "Dependent" ), Description (
153 "SecurityAssociation using the FilterList as its traffic "
154 "selector.")]
155 CIM_SecurityAssociationEndpoint REF Dependent;
156 };
157
158
159 // ==================================================================
160 // SAEndpointConnectionStatistics
161 // ==================================================================
162 [Version ( "2.8.0" ), Description (
163 "This class captures statistical and time-related information "
164 "about the use of the IPsec or IKE Security Associations, "
165 "through their IPsecSAEndpoint or IKESAEndpoint. The relevant "
166 "SAEndpoint is determined by traversing the "
167 "ElementStatisticalData association.")]
168 class CIM_SAEndpointConnectionStatistics : CIM_StatisticalData {
169 a.dunfey 1.1
170 [Description (
171 "Number of bytes that have been protected by the associated "
172 "SAEndpoint."),
173 Units ( "Bytes" ), Counter]
174 uint64 ByteCount;
175
176 [Description (
177 "LastAccessed indicates when the SAEndpoint was last used. "
178 "This property is helpful in determining if the SA (and its "
179 "endpoint) will be deleted due to sitting idle.")]
180 datetime LastAccessed;
181 };
182
183
184 // ==================================================================
185 // SAEndpointRefreshSettings
186 // ==================================================================
187 [Version ( "2.8.0" ), Description (
188 "SAEndpointRefreshSettings hold the refresh thresholds for the "
189 "SecurityAssociationEndpoint. Since these settings may change "
190 a.dunfey 1.1 "for an SA, the properties are defined both in this class and "
191 "in SecurityAssociationEndpoint.")]
192 class CIM_SAEndpointRefreshSettings : CIM_SettingData {
193
194 [Write, Description (
195 "RefreshThresholdSecondsPercentage is the lifetime "
196 "percentage after which a new SA should be acquired, before "
197 "the existing SA expires."),
198 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 ),
199 ModelCorrespondence { "CIM_SecurityAssociationEndpoint."
200 "RefreshThresholdSecondsPercentage" }]
201 uint8 RefreshThresholdSecondsPercentage;
202
203 [Write, Description (
204 "RefreshThresholdKbytesPercentage is the lifetime percentage "
205 "of kilobytes processed, at which a new SA should be "
206 "acquired."),
207 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 ),
208 ModelCorrespondence { "CIM_SecurityAssociationEndpoint."
209 "RefreshThresholdKbytesPercentage" }]
210 uint8 RefreshThresholdKbytesPercentage;
211 a.dunfey 1.1 };
212
213
214 // ==================================================================
215 // IPsecSAEndpoint
216 // ==================================================================
217 [Version ( "2.8.0" ), Description (
218 "IPsecSAEndpoints are types of SecurityAssociationEndpoints "
219 "representing both negotiated and static SAs that correspond to "
220 "AH, ESP, or IPCOMP transforms.")]
221 class CIM_IPsecSAEndpoint : CIM_SecurityAssociationEndpoint {
222
223 [Description (
224 "SPI contains the Security Parameter Index of the SA. This "
225 "value in string form may also be used in the key field "
226 "'Name' inherited from ServiceAccessPoint.")]
227 uint32 SPI;
228
229 [Description (
230 "InboundDirection specifies whether the SA applies to "
231 "inbound (TRUE) or outbound (FALSE) traffic.")]
232 a.dunfey 1.1 boolean InboundDirection;
233
234 [Description (
235 "EncapsulationMode indicates whether the IPsecSAEndpoint "
236 "uses transport or tunnel encapsulation."),
237 ValueMap { "0", "2", "3" },
238 Values { "Unknown", "Tunnel", "Transport" }]
239 uint16 EncapsulationMode;
240
241 [Description (
242 "DFHandling controls how the 'Don't Fragment' bit is managed "
243 "by the IPsecSAEndpoint."),
244 ValueMap { "0", "2", "3", "4" },
245 Values { "Unknown", "Copy from Internal to External IP Header",
246 "Set DF Bit in External Header to 1",
247 "Set DF Bit in External Header to 0" }]
248 uint16 DFHandling;
249
250 [Description (
251 "PFSInUse indicates whether perfect forward secrecy is "
252 "required when refreshing keys.")]
253 a.dunfey 1.1 boolean PFSInUse;
254 };
255
256
257 // ==================================================================
258 // PeerOfIPsecSAEndpoint
259 // ==================================================================
260 [Association, Version ( "2.8.0" ), Description (
261 "PeerOfIPsecSAEndpoint identifies the peer of the "
262 "IPsecSAEndpoint.")]
263 class CIM_PeerOfSAEndpoint : CIM_Dependency {
264
265 [Override ( "Antecedent" ), Max ( 1 ), Description (
266 "The peer for the SAEndpoint.")]
267 CIM_RemoteServiceAccessPoint REF Antecedent;
268
269 [Override ( "Dependent" ), Description (
270 "The IPsecSAEndpoint which has a peer.")]
271 CIM_IPsecSAEndpoint REF Dependent;
272 };
273
274 a.dunfey 1.1
275 // ==================================================================
276 // IKESAEndpoint
277 // ==================================================================
278 [Version ( "2.8.0" ), Description (
279 "IKESAEndpoint is created in the first phase of SA negotiation "
280 "and protects the key negotiation traffic. This endpoint is "
281 "only created when IKE is the key exchange protocol. Other "
282 "protocols and their endpoints will be defined in a future "
283 "release.")]
284 class CIM_IKESAEndpoint : CIM_SecurityAssociationEndpoint {
285
286 [Description (
287 "Identifier of the IKE phase 1 negotiation initiator. "
288 "Combined with the ResponderCookie, this value, in string "
289 "form, may be used to construct the value of the key field "
290 "'Name', inherited from ServiceAccessPoint.")]
291 uint64 InitiatorCookie;
292
293 [Description (
294 "Identifier of the IKE phase 1 negotiation responder. "
295 a.dunfey 1.1 "Combined with the InitiatorCookie, this value, in string "
296 "form, may be used to construct the value of the key field "
297 "'Name', inherited from ServiceAccessPoint.")]
298 uint64 ResponderCookie;
299
300 [Description (
301 "CipherAlgorithm is an enumeration that specifies the "
302 "encryption algorithm used by the IKESAEndpoint. The list of "
303 "algorithms was generated from Appendix A of RFC2409. Note "
304 "that the enumeration is different than the RFC list, since "
305 "the values of Unknown and Other are taken into account."),
306 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8..65000",
307 "65001..65535" },
308 Values { "Unknown", "Other", "DES", "IDEA", "Blowfish", "RC5",
309 "3DES", "CAST", "DMTF/IANA Reserved", "Vendor Reserved" },
310 MappingStrings { "RFC2409.IETF|Appendix A" },
311 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm" }]
312 uint16 CipherAlgorithm;
313
314 [Description (
315 "Description of the encryption algorithm when the value 1 "
316 a.dunfey 1.1 "(\"Other\") is specified for the property, CipherAlgorithm."),
317 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm" }]
318 string OtherCipherAlgorithm;
319
320 [Description (
321 "HashAlgorithm is an enumeration that specifies the hash "
322 "function used by the IKESAEndpoint. The list of algorithms "
323 "was generated from Appendix A of RFC2409. Note that the "
324 "enumeration is different than the RFC list, since the "
325 "values of Unknown and Other are taken into account."),
326 ValueMap { "0", "1", "2", "3", "4", "5..65000", "65001..65535" },
327 Values { "Unknown", "Other", "MD5", "SHA-1", "Tiger",
328 "DMTF/IANA Reserved", "Vendor Reserved" },
329 MappingStrings { "RFC2409.IETF|Appendix A" },
330 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm" }]
331 uint16 HashAlgorithm;
332
333 [Description (
334 "Description of the hash function when the value 1 "
335 "(\"Other\") is specified for the property, HashAlgorithm."),
336 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm" }]
337 a.dunfey 1.1 string OtherHashAlgorithm;
338
339 [Description (
340 "AuthenticationMethod is an enumeration that specifies the "
341 "operation of the IKESAEndpoint. The list of methods was "
342 "generated from Appendix A of RFC2409. Note that the "
343 "enumeration is different than the RFC list, since the "
344 "values of Unknown and Other are taken into account."),
345 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7..65000",
346 "65001..65535" },
347 Values { "Unknown", "Other", "Pre-Shared Key", "DSS Signatures",
348 "RSA Signatures", "Encryption with RSA",
349 "Revised Encryption with RSA", "DMTF/IANA Reserved",
350 "Vendor Reserved" },
351 MappingStrings { "RFC2409.IETF|Appendix A" },
352 ModelCorrespondence {
353 "CIM_IKESAEndpoint.OtherAuthenticationMethod" }]
354 uint16 AuthenticationMethod;
355
356 [Description (
357 "Description of the method when the value 1 (\"Other\") is "
358 a.dunfey 1.1 "specified for the property, AuthenticationMethod."),
359 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod" }]
360 string OtherAuthenticationMethod;
361
362 [Description (
363 "GroupId specifies the key exchange group ID. If the GroupID "
364 "number is from the vendor-specific range (32768-65535), the "
365 "VendorID qualifies the group number. Well-known group "
366 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
367 "prime', Group 2='1024 bit prime', Group 3= 'Elliptic Curve "
368 "Group with 155 bit field element', Group 4= 'Large Elliptic "
369 "Curve Group with 185 bit field element', and Group 5='1536 "
370 "bit prime'."),
371 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
372 Values { "No Group/Non-Diffie-Hellman Exchange",
373 "DH-768 bit prime", "DH-1024 bit prime",
374 "EC2N-155 bit field element", "EC2N-185 bit field element",
375 "DH-1536 bit prime", "Standard Group - Reserved",
376 "Vendor Reserved" },
377 MappingStrings { "RFC2412.IETF|Appendix E" },
378 ModelCorrespondence { "CIM_IKESAEndpoint.VendorID" }]
379 a.dunfey 1.1 uint16 GroupId;
380
381 [Description (
382 "VendorID identifies the vendor when the value of GroupID is "
383 "in the vendor-specific range, 32768 to 65535."),
384 ModelCorrespondence { "CIM_IKESAEndpoint.GroupId" }]
385 string VendorID;
386 };
387
388
389 // ==================================================================
390 // Phase1SAUsedForPhase2
391 // ==================================================================
392 [Association, Version ( "2.8.0" ), Description (
393 "Phase1SAUsedForPhase2 associates a phase 1 endpoint (such as "
394 "an IKESAEndpoint) with an IPsecSAEndpoint that was negotiated "
395 "using that phase 1 Security Association.")]
396 class CIM_Phase1SAUsedForPhase2 : CIM_Dependency {
397
398 [Override ( "Antecedent" ), Max ( 1 ), Description (
399 "Phase 1 SAEndpoint that protected the negotiation of the "
400 a.dunfey 1.1 "phase 2 Security Association. An example of a phase 1 "
401 "endpoint is an IKESAEndpoint.")]
402 CIM_SecurityAssociationEndpoint REF Antecedent;
403
404 [Override ( "Dependent" ), Description (
405 "The phase 2 SAEndpoint.")]
406 CIM_IPsecSAEndpoint REF Dependent;
407 };
408
409
410 // ==================================================================
411 // Security Association Transforms
412 // ==================================================================
413
414 // ==================================================================
415 // SATransform
416 // ==================================================================
417 [Abstract, Version ( "2.8.0" ), Description (
418 "SATransform is the base class for the various types of "
419 "transforms that are in effect for an existing IPsecSAEndpoint, "
420 "or aggregated into phase 2 proposals used during the IPsec "
421 a.dunfey 1.1 "negotiation process. This class is defined as a kind of "
422 "ScopedSettingData, since it describes the set of transform "
423 "properties that MUST be applied together, if negotiated. This "
424 "subclassing is different than that defined in IETF's IPSP "
425 "Policy draft - where it is subclassed from Policy. The "
426 "definition as SettingData is more consistent with the "
427 "application of the properties as a set, to the negotiated "
428 "Security Association. \n"
429 "\n"
430 "Note that an instance of this class is 'scoped' or contained "
431 "by a System (either a ComputerSystem or AdminDomain), rather "
432 "than by a SecurityAssociationEndpoint. This is indicated by "
433 "instantiating the ScopedSetting association, and is necessary "
434 "since the transform data is used in IPsec negotiation policies "
435 "(also scoped by Systems) before ever being associated with a "
436 "SecurityAssociationEndpoint. The latter semantics (i.e., that "
437 "'this' transform is negotiated for 'this' Security "
438 "Association) is conveyed via a subclass of ElementSettingData, "
439 "TransformOfSecurityAssociation."),
440 MappingStrings { "IPSP Model.IETF|SATransform" }]
441 class CIM_SATransform : CIM_ScopedSettingData {
442 a.dunfey 1.1
443 [Override ( "ElementName" ),
444 MappingStrings { "IPSP Model.IETF|SATransform.CommonName" }]
445 string ElementName;
446
447 [Description (
448 "MaxLifetimeSeconds specifies the maximum time that the "
449 "Security Association should be considered valid after it "
450 "has been created. A value of 0, the default, indicates that "
451 "8 hours should be used. A non-zero value indicates the "
452 "maximum lifetime in seconds."),
453 Units ( "Seconds" ),
454 MappingStrings { "IPSP "
455 "Model.IETF|SATransform.MaxLifetimeSeconds" }]
456 uint64 MaxLifetimeSeconds = 0;
457
458 [Description (
459 "MaxLifetimeKilobytes specifies the maximum kilobyte "
460 "lifetime for a Security Association. Different lifetimes "
461 "are used, depending on the strength of the encryption "
462 "algorithm. A value of 0, the default, indicates that no "
463 a.dunfey 1.1 "maximum should be defined. A non-zero value specifies the "
464 "desired kilobyte lifetime."),
465 Units ( "KiloBytes" ),
466 MappingStrings { "IPSP "
467 "Model.IETF|SATransform.MaxLifetimeKilobytes" }]
468 uint64 MaxLifetimeKilobytes = 0;
469
470 [Description (
471 "VendorID identifies vendor-defined transforms. If this "
472 "field is empty (the default), then this is a standard "
473 "transform."),
474 MappingStrings { "IPSP Model.IETF|SATransform.VendorID" }]
475 string VendorID = "";
476 };
477
478
479 // ==================================================================
480 // TransformOfSecurityAssociation
481 // ==================================================================
482 [Association, Version ( "2.8.0" ), Description (
483 "TransformOfSecurityAssociation maps a SecurityAssociation "
484 a.dunfey 1.1 "Endpoint with the transform that it uses. For security, no "
485 "keying material of the SA is exposed.")]
486 class CIM_TransformOfSecurityAssociation : CIM_ElementSettingData {
487
488 [Override ( "SettingData" ), Min ( 1 ), Max ( 1 ), Description (
489 "Transform of the IPsecSAEndpoint.")]
490 CIM_SATransform REF SettingData;
491
492 [Override ( "ManagedElement" ), Description (
493 "The IPsecSAEndpoint that uses the transform.")]
494 CIM_IPsecSAEndpoint REF ManagedElement;
495 };
496
497
498 // ==================================================================
499 // AHTransform
500 // ==================================================================
501 [Version ( "2.8.0" ), Description (
502 "AHTransform defines the parameters used for a phase 2 AH "
503 "(Authentication Header) Security Association."),
504 MappingStrings { "IPSP Model.IETF|AHTransform" }]
505 a.dunfey 1.1 class CIM_AHTransform : CIM_SATransform {
506
507 [Description (
508 "AHTransformId is an enumeration that specifies the hash "
509 "algorithm to be used. The list of values was generated from "
510 "RFC2407, Section 4.4.3."),
511 ValueMap { "1", "2", "3", "4" },
512 Values { "Other", "MD5", "SHA-1", "DES" },
513 MappingStrings { "IPSP Model.IETF|AHTransform.AHTransformID",
514 "RFC2407.IETF|Section 4.4.3" },
515 ModelCorrespondence { "CIM_AHTransform.OtherAHTransformId" }]
516 uint16 AHTransformId;
517
518 [Description (
519 "Description of the hash algorithm when the value 1 "
520 "(\"Other\") is specified for the property, AHTransformId."),
521 ModelCorrespondence { "CIM_AHTransform.AHTransformId" }]
522 string OtherAHTransformId;
523
524 [Description (
525 "UseReplayPrevention causes the local peer to enable replay "
526 a.dunfey 1.1 "prevention detection. This can be accomplished by using a "
527 "sequence number when sending a packet or checking the "
528 "sequence number upon receipt of a packet."),
529 MappingStrings { "IPSP "
530 "Model.IETF|AHTransform.UseReplayPrevention" }]
531 boolean UseReplayPrevention;
532
533 [Description (
534 "ReplayPreventionWindowsSize specifies, in bits, the length "
535 "of the sliding window used by the replay prevention "
536 "mechanism. The value of this property is meaningless if "
537 "UseReplayPrevention is false. The window size MUST be a "
538 "power of 2."),
539 Units ( "Bits" ),
540 MappingStrings { "IPSP "
541 "Model.IETF|AHTransform.ReplayPreventionWindowSize" }]
542 uint32 ReplayPreventionWindowSize;
543 };
544
545
546 // ==================================================================
547 a.dunfey 1.1 // ESPTransform
548 // ==================================================================
549 [Version ( "2.8.0" ), Description (
550 "ESPTransform defines the parameters used for a phase 2 ESP "
551 "(Encapsulating Security Protocol) Security Association."),
552 MappingStrings { "IPSP Model.IETF|ESPTransform" }]
553 class CIM_ESPTransform : CIM_SATransform {
554
555 [Description (
556 "IntegrityTransformId is an enumeration that specifies the "
557 "ESP integrity algorithm to be used. The list of values is "
558 "generated from the enumeration defined in RFC2407, Section "
559 "4.5. Note that the enumeration is different than the RFC "
560 "list, since the values of Other and None are taken into "
561 "account. Also, note that 2 (\"None\") is used when ESP is "
562 "negotiated without authentication."),
563 ValueMap { "1", "2", "3", "4", "5", "6", "7..61439",
564 "61440..65535" },
565 Values { "Other", "None", "MD5", "SHA-1", "DES", "KPDK",
566 "DMTF/IANA Reserved", "Vendor Reserved" },
567 MappingStrings { "IPSP "
568 a.dunfey 1.1 "Model.IETF|ESPTransform.IntegrityTransformId",
569 "RFC2407.IETF|Section 4.5" },
570 ModelCorrespondence {
571 "CIM_ESPTransform.OtherIntegrityTransformId" }]
572 uint16 IntegrityTransformId;
573
574 [Description (
575 "Description of the integrity algorithm when the value 1 "
576 "(\"Other\") is specified for the property, "
577 "IntegrityTransformId."),
578 ModelCorrespondence { "CIM_ESPTransform.IntegrityTransformId" }]
579 string OtherIntegrityTransformId;
580
581 [Description (
582 "CipherTransformId is an enumeration that specifies the ESP "
583 "encrypion algorithm to be used. The list of values is "
584 "defined in RFC2407, Section 4.4.4, where the RFC's NULL "
585 "value maps to 2-\"None\". Note that the enumeration is "
586 "different than the RFC list, since 'Other' is added to the "
587 "enumeration."),
588 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
589 a.dunfey 1.1 "11", "12" },
590 Values { "Other", "None", "DES_IV64", "DES", "3DES", "RC5",
591 "IDEA", "CAST", "Blowfish", "3-IDEA", "DES_IV32", "RC4" },
592 MappingStrings { "IPSP "
593 "Model.IETF|ESPTransform.CipherTransformId",
594 "RFC2407.IETF|Section 4.4.4" },
595 ModelCorrespondence { "CIM_ESPTransform.OtherCipherTransformId"
596 }]
597 uint16 CipherTransformId;
598
599 [Description (
600 "Description of the encryption algorithm when the value 1 "
601 "(\"Other\") is specified for the property, "
602 "CipherTransformId."),
603 ModelCorrespondence { "CIM_ESPTransform.CipherTransformId" }]
604 string OtherCipherTransformId;
605
606 [Description (
607 "CipherKeyLength specifies, in bits, the key length for the "
608 "encryption algorithm. For algorithms with fixed key "
609 "lengths, this value is ignored."),
610 a.dunfey 1.1 Units ( "Bits" ),
611 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyLength"
612 }]
613 uint16 CipherKeyLength;
614
615 [Description (
616 "CipherKeyRounds specifies the key rounds for the encryption "
617 "algorithm. For algorithms with a fixed number of key "
618 "rounds, this value is ignored. Currently, key rounds are "
619 "NOT defined for any ESP encryption algorithms."),
620 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyRounds"
621 }]
622 uint16 CipherKeyRounds;
623
624 [Description (
625 "UseReplayPrevention causes the local peer to enable replay "
626 "prevention detection. This can be accomplished by using a "
627 "sequence number when sending a packet or checking the "
628 "sequence number upon receipt of a packet."),
629 MappingStrings { "IPSP "
630 "Model.IETF|ESPTransform.UseReplayPrevention" }]
631 a.dunfey 1.1 boolean UseReplayPrevention;
632
633 [Description (
634 "ReplayPreventionWindowsSize specifies, in bits, the length "
635 "of the sliding window used by the replay prevention "
636 "mechanism. The value of this property is meaningless if "
637 "UseReplayPrevention is false. The window size MUST be a "
638 "power of 2."),
639 Units ( "Bits" ),
640 MappingStrings { "IPSP "
641 "Model.IETF|ESPTransform.ReplayPreventionWindowSize" }]
642 uint32 ReplayPreventionWindowSize;
643 };
644
645
646 // ==================================================================
647 // IPCOMPTransform
648 // ==================================================================
649 [Version ( "2.8.0" ), Description (
650 "The IPCOMPTransform specifies the IP compression algorithm to "
651 "use for payload of the Security Association."),
652 a.dunfey 1.1 MappingStrings { "IPSP Model.IETF|IPCOMPTransform" }]
653 class CIM_IPCOMPTransform : CIM_SATransform {
654
655 [Description (
656 "The Algorithm is an enumeration that designates the IPCOMP "
657 "compression algorithm to use. Its values are generated from "
658 "RFC2407, Section 4.4.5. Note that the values are modified "
659 "from the RFC, since 'Other' must be taken into account."),
660 ValueMap { "1", "2", "3", "4" },
661 Values { "Other", "Vendor Algorithm/OUI", "DEFLATE", "LZS" },
662 MappingStrings { "IPSP Model.IETF|IPCOMPTransform.Algorithm",
663 "RFC2407.IETF|Section 4.4.5" },
664 ModelCorrespondence { "CIM_IPCOMPTransform.PrivateAlgorithm",
665 "CIM_IPCOMPTransform.OtherAlgorithm" }]
666 uint16 Algorithm;
667
668 [Description (
669 "Description of the compression algorithm when the value 1 "
670 "(\"Other\") is specified for the property, Algorithm."),
671 ModelCorrespondence { "CIM_IPCOMPTransform.Algorithm" }]
672 string OtherAlgorithm;
673 a.dunfey 1.1
674 [Description (
675 "A private compression algorithm, used when the Algorithm "
676 "property is set to 2, \"Vendor Algorithm/OUI\"."),
677 MappingStrings { "IPSP "
678 "Model.IETF|IPCOMPTransform.PrivateAlgorithm" },
679 ModelCorrespondence { "CIM_IPCOMPTransform.Algorithm" }]
680 uint32 PrivateAlgorithm;
681
682 [Description (
683 "DictionarySize is an optional field that specifies the log2 "
684 "maximum size of the dictionary for the compression "
685 "algorithm. For dictionaries that have a fixed size, this "
686 "value is ignored."),
687 MappingStrings { "IPSP "
688 "Model.IETF|IPCOMPTransform.DictionarySize" }]
689 uint16 DictionarySize;
690 };
691
692
693 // ===================================================================
694 a.dunfey 1.1 // end of file
695 // ===================================================================
|
Return to
Network_IPsec.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIM29