1 tony 1.1 // ===================================================================
2 // Title: IPsec Policy 2.8 Preliminary
3 // Filename: IPsecPolicy.mof
4 // Version: 2.8
5 // Status: Preliminary
6 // Date: August 18, 2003
7 // ===================================================================
8 // Copyright 1998-2003 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: This file defines the classes to negotiate
45 // an IPsec security association.
46 //
47 // The object classes below are listed in an order that
48 // avoids forward references. Required objects, defined
49 // by other working groups, are omitted.
50 // ==================================================================
51 // This model was originally introduced in CIM V2.6 Preliminary and
52 // was not promoted to Final status. The following CR updates the
53 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
54 // Working Group.
55 //
56 // Change Log for v2.8 Preliminary
57 // CR1026 - Modifications to the V2.6 MOF for IPsec management
58 // CR1105 - Generalize the SACondition class to be FilterCondition
59 // & move the classes to the Policy model.
60 // Generalize SAConditionInRule to be PacketConditionInSARule.
61 // ===================================================================
62
63 #pragma Locale ("en_US")
64 tony 1.1
65 // ==================================================================
66 // Compile prerequisite: Core, Policy and Network MOFs
67 // ==================================================================
68
69
70 // ==================================================================
71 // IPsec Negotiation Policy Rules
72 // ==================================================================
73
74 // ==================================================================
75 // SARule
76 // ==================================================================
77 [Experimental, Version ("2.7.1000"), Description (
78 "SARule is a base class for defining IKE and IPsec Rules. "
79 "Although concrete (because it subclasses from a concrete "
80 "class), it is not intended to be instantiated. It defines a "
81 "common connection point for associating conditions and actions "
82 "for both types of rules. Note that each valid PolicyGroup "
83 "containing SARules MUST use a unique priority number for the "
84 "Rule in the aggregation, PolicySetComponent.Priority."),
85 tony 1.1 MappingStrings {"IPSP Policy Model.IETF|SARule"} ]
86 class CIM_SARule: CIM_PolicyRule {
87
88 [Description (
89 "LimitNegotiation is used as part of processing either a key "
90 "exchange or IPsec Rule. Before proceeding with either a "
91 "phase 1 or a phase 2 negotiation, this property is checked "
92 "to determine if the negotiation role of the Rule matches "
93 "that defined for the negotiation being undertaken (e.g., "
94 "Initiator, Responder, or Both). If this check fails, then "
95 "the negotiation is stopped. Note that this only applies to "
96 "new negotiations and has no effect on either renegotiation "
97 "or refresh operations with peers for which an established "
98 "Security Association already exists."),
99 ValueMap { "1", "2", "3" },
100 Values {"Initiator-Only", "Responder-Only", "Either"},
101 MappingStrings { "IPSP Policy "
102 "Model.IETF|SARule.LimitNegotiation"} ]
103 uint16 LimitNegotiation;
104 };
105
106 tony 1.1
107 // ==================================================================
108 // RuleThatGeneratedSA
109 // ==================================================================
110 [Association, Experimental, Version ("2.7.1000"), Description (
111 "RuleThatGeneratedSA associates a SecurityAssociationEndpoint "
112 "with the SARule used to generate (or negotiate) it.") ]
113 class CIM_RuleThatGeneratedSA : CIM_Dependency {
114
115 [Override ("Antecedent"), Min (0), Max (1), Description (
116 "SARule that led to the Security Association.") ]
117 CIM_SARule REF Antecedent;
118
119 [Override ("Dependent"), Description (
120 "SecurityAssociationEndpoint created using the rule.") ]
121 CIM_SecurityAssociationEndpoint REF Dependent;
122 };
123
124
125 // ==================================================================
126 // IKERule
127 tony 1.1 // ==================================================================
128 [Experimental, Version ("2.7.1000"), Description (
129 "IKERule contains the Conditions and Actions for IKE phase 1 "
130 "negotiations or to specify static actions such as Discard."),
131 MappingStrings {"IPSP Policy Model.IETF|IKERule"} ]
132 class CIM_IKERule : CIM_SARule {
133
134 [Description (
135 "An IP endpoint may have multiple identities for use in "
136 "different situations. The IdentityContexts property "
137 "specifies the specific context/identities which pertain to "
138 "this Rule. The property's function is similar to that of "
139 "PolicyRoles. A context may be a VPN name or other "
140 "identifier that selects the appropriate identity.\n"
141 "\n"
142 "IdentityContexts is an array of strings. The multiple "
143 "values in the array are logically ORed together in matching "
144 "an IPNetworkIdentity's IdentityContexts. Each value in the "
145 "array may be a composition of multiple context names. When "
146 "an array value is a composition, the individual values are "
147 "logically ANDed together for evaluation purposes. The "
148 tony 1.1 "syntax is:\n"
149 " <ContextName>[&&<ContextName>]*\n"
150 "where the individual context names appear in alphabetical "
151 "order (according to the collating sequence for UCS-2). So, "
152 "for example, the values 'CompanyXVPN', "
153 "'CompanyYVPN&&TopSecret', 'CompanyZVPN&&Confidential' are "
154 "possible contexts for a Rule. They are matched against an "
155 "IPNetworkIdentity's IdentityContexts. Any of the values "
156 "may indicate a match and select an Identity, since the "
157 "values in the array are logically ORed."),
158 MappingStrings {"IPSP Policy "
159 "Model.IETF|IKERule.IdentityContexts"},
160 ModelCorrespondence {"CIM_IPNetworkIdentity.IdentityContexts"} ]
161 string IdentityContexts[];
162 };
163
164
165 // ==================================================================
166 // IPsecRule
167 // ==================================================================
168 [Experimental, Version ("2.7.1000"), Description (
169 tony 1.1 "IPsecRule contains the Conditions and Actions for phase 2 "
170 "negotiations or to specify static actions such as Discard."),
171 MappingStrings {"IPSP Policy Model.IETF|IPsecRule"} ]
172 class CIM_IPsecRule : CIM_SARule {
173 };
174
175
176 // ==================================================================
177 // IPsecPolicyForSystem
178 // ==================================================================
179 [Association, Experimental, Version ("2.7.1000"), Description (
180 "IPsecPolicyForSystem associates a PolicyGroup with a specific "
181 "system (e.g., a host or a network device) - indicating that "
182 "this is the 'default' IPsec policy for that system. The "
183 "referenced PolicyGroup would be used for any "
184 "IPProtocolEndpoint's IPsec negotiations, UNLESS the "
185 "IPsecPolicyForEndpoint association is defined. "
186 "IPsecPolicyForEndpoint indicates a more specific PolicyGroup "
187 "for IPsec negotiations for the endpoint."),
188 MappingStrings {"IPSP Policy Model.IETF|IPsecPolicyForSystem"} ]
189 class CIM_IPsecPolicyForSystem : CIM_Dependency {
190 tony 1.1
191 [Override ("Antecedent"), Description (
192 "A System to which the PolicyGroup applies."),
193 MappingStrings { "IPSP Policy "
194 "Model.IETF|IPsecPolicyForSystem.Antecedent"} ]
195 CIM_System REF Antecedent;
196
197 [Override ("Dependent"), Min (0), Max (1), Description (
198 "The PolicyGroup that defines the 'default' IPsec "
199 "negotiation policy for the System."),
200 MappingStrings { "IPSP Policy "
201 "Model.IETF|IPsecPolicyForSystem.Dependent"} ]
202 CIM_PolicyGroup REF Dependent;
203 };
204
205
206 // ==================================================================
207 // IPsecPolicyForEndpoint
208 // ==================================================================
209 [Association, Experimental, Version ("2.7.1000"), Description (
210 "IPsecPolicyForEndpoint associates a PolicyGroup with a "
211 tony 1.1 "specific IP endpoint. This association's policies take "
212 "priority over any PolicyGroup defined generically for the "
213 "hosting system. The latter is defined using the "
214 "IPsecPolicyForSystem association."),
215 MappingStrings {"IPSP Policy Model.IETF|IPsecPolicyForEndpoint"} ]
216 class CIM_IPsecPolicyForEndpoint : CIM_Dependency {
217
218 [Override ("Antecedent"), Description (
219 "The IPProtocolEndpoint that identifies an interface to "
220 "which the PolicyGroup applies."),
221 MappingStrings { "IPSP Policy "
222 "Model.IETF|IPsecPolicyForEndpoint.Antecedent"} ]
223 CIM_IPProtocolEndpoint REF Antecedent;
224
225 [Override ("Dependent"), Min (0), Max (1), Description (
226 "The PolicyGroup that defines the IPsec negotiation policy "
227 "for the Endpoint."),
228 MappingStrings { "IPSP Policy "
229 "Model.IETF|IPsecPolicyForEndpoint.Dependent"} ]
230 CIM_PolicyGroup REF Dependent;
231 };
232 tony 1.1
233
234 // ==================================================================
235 // IPsec Negotiation Policy Conditions
236 // ==================================================================
237
238 // ==================================================================
239 // PacketConditionInSARule
240 // ==================================================================
241 [Association, Experimental, Aggregation, Version ("2.7.1000"),
242 Description (
243 "PacketConditionInSARule aggregates an SARule with at least one "
244 "instance of PacketFilterCondition. This is a specialization "
245 "of the PolicyConditionInPolicyRule association."),
246 MappingStrings {"IPSP Policy Model.IETF|SAConditionInRule"} ]
247 class CIM_PacketConditionInSARule : CIM_PolicyConditionInPolicyRule {
248
249 [Aggregate, Override ("GroupComponent"), Description (
250 "An SARule subclass of PolicyRule."),
251 MappingStrings { "IPSP Policy "
252 "Model.IETF|SAConditionInRule.GroupComponent"} ]
253 tony 1.1 CIM_SARule REF GroupComponent;
254
255 [Override ("PartComponent"), Min (1), Description (
256 "An SACondition that is required for the SARule."),
257 MappingStrings { "IPSP Policy "
258 "Model.IETF|SAConditionInRule.PartComponent"} ]
259 CIM_PacketFilterCondition REF PartComponent;
260 };
261
262
263 // ==================================================================
264 // IPsec Negotiation Policy Actions - Static and Negotiated
265 // ==================================================================
266
267 // ==================================================================
268 // SAAction
269 // ==================================================================
270 [Experimental, Abstract, Version ("2.7.1000"), Description (
271 "SAAction is the base class for the various types of key "
272 "exchange or IPsec actions. It is abstract and used to "
273 "categorize the different types of actions of SARules."),
274 tony 1.1 MappingStrings {"IPSP Policy Model.IETF|SAAction"} ]
275 class CIM_SAAction : CIM_PolicyAction {
276
277 [Description (
278 "DoPacketLogging causes a log message to be generated when "
279 "the action is applied to a packet."),
280 MappingStrings { "IPSP Policy "
281 "Model.IETF|SAAction.DoPacketLogging"},
282 ModelCorrespondence {
283 "CIM_SecurityAssociationEndpoint.PacketLoggingActive"} ]
284 boolean DoPacketLogging;
285 };
286
287
288 // ==================================================================
289 // SAStaticAction
290 // ==================================================================
291 [Experimental, Version ("2.7.1000"), Description (
292 "SAStaticAction is the base class for both key exchange as well "
293 "as IPsec actions that require no negotiation. It is a "
294 "concrete class that can be aggregated with other subclasses of "
295 tony 1.1 "PolicyAction (such as NetworkPacketAction) into a PolicyRule, "
296 "to describe how packets are handled throughout the lifetime of "
297 "the Security Association."),
298 MappingStrings {"IPSP Policy Model.IETF|SAStaticAction"} ]
299 class CIM_SAStaticAction : CIM_SAAction {
300
301 [Description (
302 "LifetimeSeconds specifies how long the SA created from this "
303 "action should be used/exist. A value of 0 means an "
304 "infinite lifetime. A non-zero value is typically used in "
305 "conjunction with alternate SAActions performed when there "
306 "is a negotiation failure of some sort.\n"
307 "\n"
308 "Note: If the referenced SAStaticAction object IS-A "
309 "PreconfiguredSAAction (that is associated to several "
310 "SATransforms), then the actual lifetime of the Security "
311 "Association will be the lesser of the value of this "
312 "LifetimeSeconds property and of the value of the "
313 "MaxLifetimeSeconds property of the associated SATransform."),
314 Units ("Seconds"),
315 MappingStrings { "IPSP Policy "
316 tony 1.1 "Model.IETF|SAStaticAction.LifetimeSeconds"},
317 ModelCorrespondence {
318 "CIM_SecurityAssociationEndpoint.LifetimeSeconds"} ]
319 uint64 LifetimeSeconds;
320 };
321
322
323 // ==================================================================
324 // PreconfiguredSAAction
325 // ==================================================================
326 [Experimental, Version ("2.7.1000"), Description (
327 "Subclasses of PreconfiguredSAAction are used to create SAs "
328 "using preconfigured, hard-wired algorithms and keys. No "
329 "negotiation is necessary. Note that this class is defined as "
330 "concrete, since its superclass is also concrete. However, it "
331 "should not be directly instantiated, but one of its subclasses "
332 "used instead.\n"
333 "\n"
334 "Also note that:\n"
335 "- The SPI for a preconfigured SA action is contained in the "
336 "association, TransformOfPreconfiguredAction.\n"
337 tony 1.1 "- The session key (if applicable) is contained in an instance "
338 "of SharedSecret. For an instance of the SharedSecret class: "
339 "The session key is stored in the Secret property; the property "
340 "protocol contains one of the values, \"ESP-encrypt\", "
341 "\"ESP-auth\" or \"AH\"; and, the class' property algorithm "
342 "contains the algorithm used to protect the secret. (The "
343 "latter can be \"PLAINTEXT\" if the IPsec entity has no secret "
344 "storage.) The value of the class' RemoteID property is the "
345 "concatenation of the remote IPsec peer IP address in dotted "
346 "decimal, of the character \"/\", of \"IN\" (or respectively "
347 "\"OUT\") for inbound/outbound SAs, of the character \"/\" and "
348 "of the hexadecimal representation of the SPI."),
349 MappingStrings {"IPSP Policy Model.IETF|PreconfiguredSAAction"} ]
350 class CIM_PreconfiguredSAAction : CIM_SAStaticAction {
351
352 [Description (
353 "LifetimeKilobytes defines a traffic limit in kilobytes that "
354 "can be consumed before the SA is deleted. A value of zero "
355 "(the default) indicates that there is no lifetime "
356 "associated with this action (i.e., infinite lifetime). A "
357 "non-zero value is used to indicate that after this number "
358 tony 1.1 "of kilobytes has been consumed the SA must be deleted.\n"
359 "\n"
360 "Note that the actual lifetime of the preconfigured SA will "
361 "be the lesser of the value of this LifetimeKilobytes "
362 "property and the value of the MaxLifetimeKilobytes property "
363 "of the associated SATransform. Also note that some SA "
364 "negotiation protocols (such as IKE) can negotiate the "
365 "lifetime as an arbitrary length field, it is assumed that a "
366 "64-bit integer will be sufficient."),
367 Units ("KiloBytes"),
368 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction."
369 "LifetimeKilobytes"},
370 ModelCorrespondence {
371 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes"} ]
372 uint64 LifetimeKilobytes;
373 };
374
375
376 // ==================================================================
377 // TransformOfPreconfiguredAction
378 // ==================================================================
379 tony 1.1 [Association, Experimental, Version ("2.7.1000"), Description (
380 "TransformOfPreconfiguredAction defines the transforms used by "
381 "a preconfigured IPsec action. Two, four or six SATransforms "
382 "can be associated to a PreconfiguredSAAction (applied to the "
383 "inbound and outbound traffic, as indicated by the Direction "
384 "property of this association). The order of application of "
385 "the SATransforms is implicitly defined in RFC2401."),
386 MappingStrings { "IPSP Policy "
387 "Model.IETF|TransformOfPreconfiguredAction"} ]
388 class CIM_TransformOfPreconfiguredAction : CIM_Dependency {
389
390 [Override ("Antecedent"), Min (2), Max (6), Description (
391 "This defines the type of transform used by the referenced "
392 "PreconfiguredSAAction. A minimum of 2 and maximum of 6 "
393 "transforms can be defined, for the inbound/outbound "
394 "directions, representing AH, ESP, and/or an IPCOMP "
395 "transforms."),
396 MappingStrings {"IPSP Policy Model.IETF|"
397 "TransformOfPreconfiguredAction.Antecedent"} ]
398 CIM_SATransform REF Antecedent;
399
400 tony 1.1 [Override ("Dependent"), Description (
401 "This defines the PreconfiguredSAAction which uses the AH, "
402 "ESP, and/or IPCOMP transforms."),
403 MappingStrings {"IPSP Policy Model.IETF|"
404 "TransformOfPreconfiguredAction.Dependent"} ]
405 CIM_PreconfiguredSAAction REF Dependent;
406
407 [Description (
408 "The SPI property specifies the security parameter index to "
409 "be used by the pre-configured action for the associated "
410 "transform."),
411 MappingStrings {"IPSP Policy Model.IETF|"
412 "TransformOfPreconfiguredAction.SPI"},
413 ModelCorrespondence {"CIM_IPsecSAEndpoint.SPI"} ]
414 uint32 SPI;
415
416 [Description (
417 "InboundDirection specifies whether the SA applies to "
418 "inbound (TRUE) or outbound (FALSE) traffic."),
419 MappingStrings {"IPSP Policy Model.IETF|"
420 "TransformOfPreconfiguredAction.Direction"},
421 tony 1.1 ModelCorrespondence {"CIM_IPsecSAEndpoint.InboundDirection"} ]
422 boolean InboundDirection;
423 };
424
425
426 // ==================================================================
427 // PreconfiguredTransportAction
428 // ==================================================================
429 [Experimental, Version ("2.7.1000"), Description (
430 "PreconfiguredTransportAction is used to create transport-mode "
431 "SAs using preconfigured, hard-wired algorithms and keys. Note "
432 "that the SPI for a preconfigured SA action is contained in the "
433 "association, TransformOfPreconfiguredAction."),
434 MappingStrings { "IPSP Policy "
435 "Model.IETF|PreconfiguredTransportAction"} ]
436 class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction {
437 };
438
439
440 // ==================================================================
441 // PreconfiguredTunnelAction
442 tony 1.1 // ==================================================================
443 [Experimental, Version ("2.7.1000"), Description (
444 "PreconfiguredTunnelAction is used to create tunnel-mode SAs "
445 "using preconfigured, hard-wired algorithms and keys. Note "
446 "that the SPI for a preconfigured SA action is contained in the "
447 "association, TransformOfPreconfiguredAction."),
448 MappingStrings { "IPSP Policy "
449 "Model.IETF|PreconfiguredTunnelAction"} ]
450 class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction {
451
452 [Description (
453 "DFHandling controls how the Don't Fragment bit is managed "
454 "by the tunnel."),
455 ValueMap {"2", "3", "4"},
456 Values {"Copy from Internal to External IP Header",
457 "Set DF Bit in External Header to 1",
458 "Set DF Bit in External Header to 0"},
459 MappingStrings {"IPSP Policy Model.IETF|"
460 "PreconfiguredTunnelAction.DFHandling"},
461 ModelCorrespondence {"CIM_IPsecSAEndpoint.DFHandling"} ]
462 uint16 DFHandling;
463 tony 1.1 };
464
465
466 // ==================================================================
467 // PeerGatewayForPreconfiguredTunnel
468 // ==================================================================
469 [Association, Experimental, Version ("2.7.1000"), Description (
470 "PeerGatewayForPreconfiguredTunnel identifies at most one "
471 "security gateway be used in constructing a preconfigured "
472 "tunnel. A security gateway is simply a particular instance of "
473 "RemoteServiceAccessPoint."),
474 MappingStrings { "IPSP Policy "
475 "Model.IETF|PeerGatewayForPreconfiguredTunnel"} ]
476 class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency {
477
478 [Override ("Antecedent"), Max (1), Description (
479 "Security gateway for the preconfigured SA."),
480 MappingStrings {"IPSP Policy Model.IETF|"
481 "PeerGatewayForPreconfiguredTunnel.Antecedent"} ]
482 CIM_RemoteServiceAccessPoint REF Antecedent;
483
484 tony 1.1 [Override ("Dependent"), Description (
485 "The PreconfiguredTunnelAction that requires a security "
486 "gateway."),
487 MappingStrings {"IPSP Policy Model.IETF|"
488 "PeerGatewayForPreconfiguredTunnel.Dependent"} ]
489 CIM_PreconfiguredTunnelAction REF Dependent;
490 };
491
492
493 // ==================================================================
494 // SANegotiationAction
495 // ==================================================================
496 [Experimental, Abstract, Version ("2.7.1000"), Description (
497 "SANegotiationAction is the base class for negotiated SAs. It "
498 "is abstract, specifying the common parameters that control the "
499 "IPsec phase 1 and phase 2 negotiations."),
500 MappingStrings {"IPSP Policy Model.IETF|SANegotiationAction",
501 "IPSP Policy Model.IETF|IKENegotiationAction"} ]
502 class CIM_SANegotiationAction : CIM_SAAction {
503
504 [Description (
505 tony 1.1 "MinLifetimeSeconds prevents certain denial of service "
506 "attacks where the peer requests an arbitrarily low lifetime "
507 "value, causing renegotiations with expensive Diffie-Hellman "
508 "operations. The property specifies the minimum lifetime, "
509 "in seconds, that will be accepted from the peer. A value "
510 "of zero (the default) indicates that there is no minimum "
511 "value. A non-zero value specifies the minimum seconds "
512 "lifetime."),
513 Units ("Seconds"),
514 MappingStrings {"IPSP Policy Model.IETF|"
515 "IKENegotiationAction.MinLifetimeSeconds"},
516 ModelCorrespondence {
517 "CIM_SecurityAssociationEndpoint.LifetimeSeconds"} ]
518 uint64 MinLifetimeSeconds = 0;
519
520 [Description (
521 "IdleDurationSeconds is the time an SA can remain idle "
522 "(i.e., no traffic protected using the security association) "
523 "before it is automatically deleted. The default (zero) "
524 "value indicates that there is no idle duration timer and "
525 "that the SA is deleted based upon the SA seconds and "
526 tony 1.1 "kilobyte lifetimes. Any non-zero value indicates the "
527 "number of seconds that the SA may remain unused."),
528 Units ("Seconds"),
529 MappingStrings {"IPSP Policy Model.IETF|"
530 "IKENegotiationAction.IdleDurationSeconds"},
531 ModelCorrespondence {
532 "CIM_SecurityAssociationEndpoint.IdleDurationSeconds"} ]
533 uint64 IdleDurationSeconds = 0;
534
535 [Description (
536 "MinLifetimeKilobytes prevents certain denial of service "
537 "attacks where the peer requests an arbitrarily low lifetime "
538 "value, causing renegotiations with expensive Diffie-Hellman "
539 "operations. The property specifies the minimum lifetime, "
540 "in kilobytes, that will be accepted from the peer. A value "
541 "of zero (the default) indicates that there is no minimum "
542 "value. A non-zero value specifies the minimum kilobytes "
543 "lifetime. Note that there has been considerable debate "
544 "regarding the usefulness of applying kilobyte lifetimes to "
545 "phase 1 security associations, so it is likely that this "
546 "property will only apply to the subclass, IPsecAction."),
547 tony 1.1 Units ("KiloBytes"),
548 MappingStrings {"IPSP Policy Model.IETF|"
549 "IKENegotiationAction.MinLifetimeKilobytes"},
550 ModelCorrespondence {
551 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes"} ]
552 uint64 MinLifetimeKilobytes = 0;
553 };
554
555
556 // ==================================================================
557 // IKEAction
558 // ==================================================================
559 [Experimental, Version ("2.7.1000"), Description (
560 "IKEAction specifies the parameters to use for an IPsec IKE "
561 "phase 1 negotiation."),
562 MappingStrings {"IPSP Policy Model.IETF|IKEAction"} ]
563 class CIM_IKEAction : CIM_SANegotiationAction {
564
565 [Description (
566 "The ExchangeMode designates the mode IKE should use for its "
567 "key negotiations."),
568 tony 1.1 ValueMap {"2", "3", "4"},
569 Values {"Base", "Main", "Aggressive"},
570 MappingStrings {"IPSP Policy Model.IETF|IKEAction.ExchangeMode"} ]
571 uint16 ExchangeMode;
572
573 [Description (
574 "UseIKEIdentityType specifies what network identity type "
575 "should be used when negotiating with the peer. It is used "
576 "in conjunction with the available IPNetworkIdentity "
577 "instances, that are associated with an IPProtocolEndpoint."),
578 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
579 "11", "12", "..", "0x8000.."},
580 Values {"Other", "IPV4 Address", "FQDN", "User FQDN",
581 "IPV4 Subnet Address", "IPV6 Address",
582 "IPV6 Subnet Address", "IPV4 Address Range",
583 "IPV6 Address Range", "DER ASN1 DN", "DER ASN1 GN",
584 "KEY ID", "DMTF Reserved", "Vendor Reserved"},
585 MappingStrings { "IPSP Policy "
586 "Model.IETF|IKEAction.UseIKEIdentityType",
587 "RFC2407.IETF|Section 4.6.2.1"},
588 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityType"} ]
589 tony 1.1 uint16 UseIKEIdentityType;
590
591 [Description (
592 "VendorID specifies the value to be used in the Vendor ID "
593 "payload. An empty string (the default) means that the "
594 "Vendor ID payload will not be generated or accepted. A "
595 "non-NULL value means that a Vendor ID payload will be "
596 "generated (when acting as an initiator) or is expected "
597 "(when acting as a responder)."),
598 MappingStrings {"IPSP Policy Model.IETF|IKEAction.VendorID"} ]
599 string VendorID = "";
600
601 [Description (
602 "When IKEAction.ExchangeMode is set to \"Aggressive\" (4), "
603 "this property specifies the key exchange groupID to use in "
604 "the first packets of the phase 1 negotiation. This "
605 "property is ignored unless the ExchangeMode is "
606 "'aggressive'. If the GroupID number is from the vendor- "
607 "specific range (32768-65535), the VendorID qualifies the "
608 "group number. Well-known group identifiers from RFC2412, "
609 "Appendix E, are: Group 1='768 bit prime', Group 2='1024 bit "
610 tony 1.1 "prime', Group 3='Elliptic Curve Group with 155 bit field "
611 "element', Group 4='Large Elliptic Curve Group with 185 bit "
612 "field element', and Group 5='1536 bit prime'."),
613 ValueMap {"0", "1", "2", "3", "4", "5", "..", "0x8000.."},
614 Values {"No Group/Non-Diffie-Hellman Exchange",
615 "DH-768 bit prime", "DH-1024 bit prime",
616 "EC2N-155 bit field element", "EC2N-185 bit field element",
617 "DH-1536 bit prime", "Standard Group - Reserved",
618 "Vendor Reserved"},
619 MappingStrings { "IPSP Policy "
620 "Model.IETF|IKEAction.AggressiveModeGroupID",
621 "RFC2412.IETF|Appendix E"},
622 ModelCorrespondence {"CIM_IKEAction.VendorID"} ]
623 uint16 AggressiveModeGroupID;
624 };
625
626
627 // ==================================================================
628 // IPsecAction
629 // ==================================================================
630 [Experimental, Version ("2.7.1000"), Description (
631 tony 1.1 "IPsecAction specifies the parameters to use for an IPsec phase "
632 "2 negotiation."),
633 MappingStrings {"IPSP Policy Model.IETF|IPsecAction"} ]
634 class CIM_IPsecAction : CIM_SANegotiationAction {
635
636 [Description (
637 "UsePFS indicates whether perfect forward secrecy is "
638 "required when refreshing keys."),
639 MappingStrings {"IPSP Policy Model.IETF|IPsecAction.UsePFS"},
640 ModelCorrespondence {"CIM_IPsecSAEndpoint.PFSInUse"} ]
641 boolean UsePFS;
642
643 [Description (
644 "UsePhase1Group indicates that the phase 2 GroupId should be "
645 "the same as that used in the phase 1 key exchange. If "
646 "UsePFS is False, then this property is ignored. Note that "
647 "a value of False indicates that the property GroupId will "
648 "contain the key exchange group to use for phase 2."),
649 MappingStrings { "IPSP Policy "
650 "Model.IETF|IPsecAction.UseIKEGroup"} ]
651 boolean UsePhase1Group;
652 tony 1.1
653 [Description (
654 "GroupId specifies the PFS group ID to use. This value is "
655 "only used if PFS is True and UsePhase1Group is False. If "
656 "the GroupID number is from the vendor-specific range "
657 "(32768-65535), the VendorID qualifies the group number. "
658 "Well-known group identifiers from RFC2412, Appendix E, are: "
659 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
660 "3='Elliptic Curve Group with 155 bit field element', Group "
661 "4='Large Elliptic Curve Group with 185 bit field element', "
662 "and Group 5='1536 bit prime'."),
663 ValueMap {"0", "1", "2", "3", "4", "5", "..", "0x8000.."},
664 Values {"No Group/Non-Diffie-Hellman Exchange",
665 "DH-768 bit prime", "DH-1024 bit prime",
666 "EC2N-155 bit field element", "EC2N-185 bit field element",
667 "DH-1536 bit prime", "Standard Group - Reserved",
668 "Vendor Reserved"},
669 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.GroupID",
670 "RFC2412.IETF|Appendix E"},
671 ModelCorrespondence {"CIM_IPsecAction.VendorID",
672 "CIM_IKESAEndpoint.GroupID"} ]
673 tony 1.1 uint16 GroupId;
674
675 [Description (
676 "The property VendorID is used together with the property "
677 "GroupID (when it is in the vendor-specific range) to "
678 "identify the key exchange group. VendorID is ignored "
679 "unless UsePFS is true, AND UsePhase1Group is False, AND "
680 "GroupID is in the vendor-specific range (32768-65535)."),
681 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.VendorID"},
682 ModelCorrespondence {"CIM_IPsecAction.GroupId",
683 "CIM_IKESAEndpoint.VendorID"} ]
684 string VendorID;
685
686 [Description (
687 "The property Granularity is an enumeration that specifies "
688 "how the selector for the SA should be derived from the "
689 "traffic that triggered the negotiation. Its values are:\n"
690 "1=Other; See the OtherGranularity property for more information\n"
691 "2=Subnet; The source and destination subnet masks are used\n"
692 "3=Address; The source and destination IP addresses of the "
693 "triggering packet are used\n"
694 tony 1.1 "4=Protocol; The source and destination IP addresses and the "
695 "IP protocol of the triggering packet are used\n"
696 "5=Port; The source and destination IP addresses, IP "
697 "protocol and the source and destination layer 4 ports of "
698 "the triggering packet are used."),
699 ValueMap {"1", "2", "3", "4", "5"},
700 Values {"Other", "Subnet", "Address", "Protocol", "Port"},
701 MappingStrings {"IPSP Policy "
702 "Model.IETF|IPsecAction.Granularity"},
703 ModelCorrespondence {"CIM_IPsecAction.OtherGranularity"} ]
704 uint16 Granularity;
705
706 [Description (
707 "Description of the granularity when the value 1 (\"Other\") "
708 "is specified for the property, Granularity."),
709 ModelCorrespondence {"CIM_IPsecAction.Granularity"} ]
710 string OtherGranularity;
711 };
712
713
714 // ==================================================================
715 tony 1.1 // IPsecTransportAction
716 // ==================================================================
717 [Experimental, Version ("2.7.1000"), Description (
718 "IPsecTransportAction is used to specify that a transport-mode "
719 "SA should be negotiated."),
720 MappingStrings {"IPSP Policy Model.IETF|IPsecTransportAction"} ]
721 class CIM_IPsecTransportAction : CIM_IPsecAction {
722 };
723
724
725 // ==================================================================
726 // IPsecTunnelAction
727 // ==================================================================
728 [Experimental, Version ("2.7.1000"), Description (
729 "IPsecTunnelAction is used to specify that a tunnel-mode SA "
730 "should be negotiated."),
731 MappingStrings {"IPSP Policy Model.IETF|IPsecTunnelAction"} ]
732 class CIM_IPsecTunnelAction : CIM_IPsecAction {
733
734 [Description (
735 "DFHandling controls how the Don't Fragment bit is managed "
736 tony 1.1 "by the tunnel."),
737 ValueMap {"2", "3", "4"},
738 Values {"Copy from Internal to External IP Header",
739 "Set DF Bit in External Header to 1",
740 "Set DF Bit in External Header to 0"},
741 MappingStrings {"IPSP Policy Model.IETF|"
742 "PreconfiguredTunnelAction.DFHandling"},
743 ModelCorrespondence {"CIM_IPsecSAEndpoint.DFHandling"} ]
744 uint16 DFHandling;
745 };
746
747
748 // ==================================================================
749 // PeerGatewayForTunnel
750 // ==================================================================
751 [Association, Experimental, Version ("2.7.1000"), Description (
752 "PeerGatewayForTunnel identifies an ordered list of security "
753 "gateways to be used in negotiating and constructing a tunnel. "
754 "A security gateway is simply a particular instance of "
755 "RemoteServiceAccessPoint."),
756 MappingStrings {"IPSP Policy Model.IETF|PeerGatewayForTunnel"} ]
757 tony 1.1 class CIM_PeerGatewayForTunnel : CIM_Dependency {
758
759 [Override ("Antecedent"), Description (
760 "The security gateway for the SA. Note that the absense of "
761 "this association indicates that:\n"
762 "- When acting as a responder, IKE will accept phase 1 "
763 "negotiations with any other security gateway\n"
764 "- When acting as an initiator, IKE will use the destination "
765 "IP address (of the IP packets which triggered the SARule) "
766 "as the IP address of the peer IKE entity."),
767 MappingStrings { "IPSP Policy "
768 "Model.IETF|PeerGatewayForTunnel.Antecedent"} ]
769 CIM_RemoteServiceAccessPoint REF Antecedent;
770
771 [Override ("Dependent"), Description (
772 "The IPsecTunnelAction that requires a security gateway."),
773 MappingStrings { "IPSP Policy "
774 "Model.IETF|PeerGatewayForTunnel.Dependent"} ]
775 CIM_IPsecTunnelAction REF Dependent;
776
777 [Description (
778 tony 1.1 "SequenceNumber indicates the ordering to be used when "
779 "selecting a PeerGateway instance for an IPsecTunnelAction. "
780 "Lower values are evaluated first."),
781 MappingStrings {"IPSP Policy Model.IETF|"
782 "PeerGatewayForTunnel.SequenceNumber"} ]
783 uint16 SequenceNumber;
784 };
785
786
787 // ==================================================================
788 // IPsec phase 1 and 2 Proposals to be negotiated
789 // ==================================================================
790
791 // ==================================================================
792 // SAProposal
793 // ==================================================================
794 [Experimental, Abstract, Version ("2.7.1000"), Description (
795 "SAProposal is a base class defining the common properties of, "
796 "and anchoring common associations for, IPsec phase 1 and phase "
797 "2 proposals. It is defined as a kind of ScopedSettingData "
798 "(scoped by a ComputerSystem or AdminDomain), since its "
799 tony 1.1 "subclasses define sets of IPsec properties that MUST be "
800 "applied together, if negotiated. This subclassing is "
801 "different than that defined in IETF's IPSP Policy draft - "
802 "where it is subclassed from Policy. The definition as "
803 "SettingData is more consistent with the application of the "
804 "properties as a set, to the negotiated Security Association. "
805 "To indicate that 'this' proposaltransform is negotiated for a "
806 "Security Association, use the ElementSettingData to associate "
807 "the proposal and the SA."),
808 MappingStrings {"IPSP Policy Model.IETF|SAProposal"} ]
809 class CIM_SAProposal : CIM_ScopedSettingData {
810 };
811
812
813 // ==================================================================
814 // ContainedProposal
815 // ==================================================================
816 [Association, Experimental, Aggregation, Version ("2.7.1000"),
817 Description (
818 "ContainedProposal holds an ordered list of SAProposals that "
819 "make up an SANegotiationAction. If the referenced "
820 tony 1.1 "NegotiationAction is an IKEAction, then the SAProposal objects "
821 "MUST be IKEProposals. If the referenced NegotiationAction "
822 "object is an IPsecTransport/TunnelAction, then the referenced "
823 "SAProposal objects MUST be IPsecProposals."),
824 MappingStrings {"IPSP Policy Model.IETF|ContainedProposal"} ]
825 class CIM_ContainedProposal: CIM_Component {
826
827 [Aggregate, Override ("GroupComponent"), Description (
828 "The SANegotiationAction containing a list of SAProposals."),
829 MappingStrings { "IPSP Policy "
830 "Model.IETF|ContainedProposal.GroupComponent"} ]
831 CIM_SANegotiationAction REF GroupComponent;
832
833 [Override ("PartComponent"), Description (
834 "The SAProposal in this negotiation action."),
835 MappingStrings { "IPSP Policy "
836 "Model.IETF|ContainedProposal.PartComponent"} ]
837 CIM_SAProposal REF PartComponent;
838
839 [Description (
840 "SequenceNumber indicates the ordering to be used when "
841 tony 1.1 "chosing from among the proposals. Lower-valued proposals "
842 "are preferred over proposals with higher values. For "
843 "ContainedProposals that reference the same "
844 "SANegotiationAction, SequenceNumber values MUST be unique."),
845 MappingStrings { "IPSP Policy "
846 "Model.IETF|ContainedProposal.SequenceNumber"} ]
847 uint16 SequenceNumber;
848 };
849
850
851 // ==================================================================
852 // IKEProposal
853 // ==================================================================
854 [Experimental, Version ("2.7.1000"), Description (
855 "IKEProposal contains the parameters necessary to drive the "
856 "phase 1 IKE negotiation."),
857 MappingStrings {"IPSP Policy Model.IETF|IKEProposal"} ]
858 class CIM_IKEProposal : CIM_SAProposal {
859
860 [Description (
861 "MaxLifetimeSeconds specifies the maximum time the IKE "
862 tony 1.1 "message sender proposes for an SA to be considered valid "
863 "after it has been created. A value of zero indicates that "
864 "the default of 8 hours be used. A non-zero value indicates "
865 "the maximum seconds lifetime."),
866 Units ("Seconds"),
867 MappingStrings { "IPSP Policy "
868 "Model.IETF|IKEProposal.MaxLifetimeSeconds"},
869 ModelCorrespondence {
870 "CIM_SecurityAssociationEndpoint.LifetimeSeconds"} ]
871 uint64 MaxLifetimeSeconds;
872
873 [Description (
874 "MaxLifetimeKilobytes specifies the maximum kilobyte "
875 "lifetime the IKE message sender proposes for an SA to be "
876 "considered valid after it has been created. A value of "
877 "zero (the default) indicates that there should be no "
878 "maximum kilobyte lifetime. A non-zero value specifies the "
879 "desired kilobyte lifetime."),
880 Units ("KiloBytes"),
881 MappingStrings { "IPSP Policy "
882 "Model.IETF|IKEProposal.MaxLifetimeKilobytes"},
883 tony 1.1 ModelCorrespondence {
884 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes"} ]
885 uint64 MaxLifetimeKilobytes;
886
887 [Description (
888 "CipherAlgorithm is an enumeration that specifies the "
889 "proposed encryption algorithm. The list of algorithms was "
890 "generated from Appendix A of RFC2409. Note that the "
891 "enumeration is different than the RFC list and aligns with "
892 "the values in IKESAEndpoint.CipherAlgorithm."),
893 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8..65000",
894 "65001..65535"},
895 Values {"Other", "DES", "IDEA", "Blowfish", "RC5", "3DES",
896 "CAST", "DMTF/IANA Reserved", "Vendor Reserved"},
897 MappingStrings { "IPSP Policy "
898 "Model.IETF|IKEProposal.CipherAlgorithm",
899 "RFC2409.IETF|Appendix A"},
900 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm",
901 "CIM_IKEProposal.OtherCipherAlgorithm"} ]
902 uint16 CipherAlgorithm;
903
904 tony 1.1 [Description (
905 "Description of the encryption algorithm when the value 1 "
906 "(\"Other\") is specified for the property, "
907 "CipherAlgorithm."),
908 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm",
909 "CIM_IKEProposal.CipherAlgorithm"} ]
910 string OtherCipherAlgorithm;
911
912 [Description (
913 "HashAlgorithm is an enumeration that specifies the proposed "
914 "hash function. The list of algorithms was generated from "
915 "Appendix A of RFC2409. Note that the enumeration is "
916 "different than the RFC list and aligns with the values in "
917 "IKESAEndpoint.HashAlgorithm."),
918 ValueMap {"1", "2", "3", "4", "5..65000", "65001..65535"},
919 Values {"Other", "MD5", "SHA-1", "Tiger", "DMTF/IANA Reserved",
920 "Vendor Reserved"},
921 MappingStrings { "IPSP Policy "
922 "Model.IETF|IKEProposal.HashAlgorithm",
923 "RFC2409.IETF|Appendix A"},
924 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm",
925 tony 1.1 "CIM_IKEProposal.OtherHashAlgorithm"} ]
926 uint16 HashAlgorithm;
927
928 [Description (
929 "Description of the hash function when the value 1 "
930 "(\"Other\") is specified for the property, HashAlgorithm."),
931 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm",
932 "CIM_IKEProposal.HashAlgorithm"} ]
933 string OtherHashAlgorithm;
934
935 [Description (
936 "AuthenticationMethod is an enumeration that specifies the "
937 "proposed authentication. The list of methods was generated "
938 "from Appendix A of RFC2409. Note that the enumeration is "
939 "different than the RFC list and aligns with the values in "
940 "IKESAEndpoint.AuthenticationMethod. There is one change to "
941 "the list - the value 65000 has special meaning. It is a "
942 "special value that indicates that this particular proposal "
943 "should be repeated once for each authentication method "
944 "corresponding to credentials installed on the machine. For "
945 "example, if the system has a pre-shared key and an "
946 tony 1.1 "public-key certificate, a proposal list would be "
947 "constructed which includes a proposal that specifies a "
948 "pre-shared key and a proposal for any of the public-key "
949 "certificates."),
950 ValueMap {"1", "2", "3", "4", "5", "6", "7..64999", "65000",
951 "65001..65535"},
952 Values {"Other", "Pre-shared Key", "DSS Signatures",
953 "RSA Signatures", "Encryption with RSA",
954 "Revised Encryption with RSA", "DMTF/IANA Reserved", "Any",
955 "Vendor Reserved"},
956 MappingStrings { "IPSP Policy "
957 "Model.IETF|IKEProposal.AuthenticationMethod",
958 "RFC2409.IETF|Appendix A"},
959 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod",
960 "CIM_IKEProposal.OtherAuthenticationMethod"} ]
961 uint16 AuthenticationMethod;
962
963 [Description (
964 "Description of the method when the value 1 (\"Other\") is "
965 "specified for the property, AuthenticationMethod."),
966 ModelCorrespondence {
967 tony 1.1 "CIM_IKESAEndpoint.OtherAuthenticationMethod",
968 "CIM_IKEProposal.AuthenticationMethod"} ]
969 string OtherAuthenticationMethod;
970
971 [Description (
972 "The property GroupId specifies the proposed phase 1 "
973 "security association key exchange group. This property is "
974 "ignored for all aggressive mode exchanges "
975 "(IKEAction.ExchangeMode = 4). If the GroupID number is "
976 "from the vendor-specific range (32768-65535), the property "
977 "VendorID qualifies the group number. Well-known group "
978 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
979 "prime', Group 2='1024 bit prime', Group 3 ='Elliptic Curve "
980 "Group with 155 bit field element', Group 4= 'Large Elliptic "
981 "Curve Group with 185 bit field element', and Group 5='1536 "
982 "bit prime'."),
983 ValueMap {"0", "1", "2", "3", "4", "5", "..", "0x8000.."},
984 Values {"No Group/Non-Diffie-Hellman Exchange",
985 "DH-768 bit prime", "DH-1024 bit prime",
986 "EC2N-155 bit field element", "EC2N-185 bit field element",
987 "DH-1536 bit prime", "Standard Group - Reserved",
988 tony 1.1 "Vendor Reserved"},
989 MappingStrings { "IPSP Policy Model.IETF|IKEProposal.GroupID",
990 "RFC2412.IETF|Appendix E"},
991 ModelCorrespondence {"CIM_IKESAEndpoint.GroupID",
992 "CIM_IKEProposal.VendorID"} ]
993 uint16 GroupId;
994
995 [Description (
996 "VendorID identifies the vendor when the value of GroupID is "
997 "in the vendor-specific range, 32768 to 65535."),
998 ModelCorrespondence {"CIM_IKESAEndpoint.VendorID",
999 "CIM_IKEProposal.GroupId"} ]
1000 string VendorID;
1001 };
1002
1003
1004 // ==================================================================
1005 // IPsecProposal
1006 // ==================================================================
1007 [Experimental, Version ("2.7.1000"), Description (
1008 "The class IPsecProposal adds no new properties, but inherits "
1009 tony 1.1 "proposal properties from SAProposal as well as associating the "
1010 "security association transforms necessary for building an "
1011 "IPsec proposal (see the class ContainedTransform)."),
1012 MappingStrings {"IPSP Policy Model.IETF|IPsecProposal"} ]
1013 class CIM_IPsecProposal : CIM_SAProposal {
1014 };
1015
1016
1017 // ==================================================================
1018 // ContainedTransform
1019 // ==================================================================
1020 [Association, Experimental, Aggregation, Version ("2.7.1000"),
1021 Description (
1022 "ContainedTransform associates a proposal with a list of "
1023 "transforms. If multiple transforms of a given type are "
1024 "included in a proposal, these transforms are interpreted as "
1025 "alternatives -- i.e., logically ORed with each other. The "
1026 "order of preference is dictated by the SequenceNumber "
1027 "property. Sets of transforms of different types are logically "
1028 "ANDed. For example, a proposal based on two AH transforms and "
1029 "three ESP transforms means one of the AH AND one of the ESP "
1030 tony 1.1 "transforms MUST be chosen. Note that at least 1 transform "
1031 "MUST be aggregated into the proposal."),
1032 MappingStrings {"IPSP Policy Model.IETF|ContainedTransform"} ]
1033 class CIM_ContainedTransform : CIM_Component {
1034
1035 [Aggregate, Override ("GroupComponent"), Description (
1036 "The Proposal containing the transforms."),
1037 MappingStrings {"IPSP Policy Model.IETF|"
1038 "ContainedTransform.GroupComponent"} ]
1039 CIM_IPsecProposal REF GroupComponent;
1040
1041 [Override ("PartComponent"), Min (1), Description (
1042 "Transforms in the proposal."),
1043 MappingStrings {"IPSP Policy Model.IETF|"
1044 "ContainedTransform.PartComponent"} ]
1045 CIM_SATransform REF PartComponent;
1046
1047 [Description (
1048 "SequenceNumber indicates the order of preference for "
1049 "SATransforms of the same type. Lower-valued transforms are "
1050 "preferred over transforms of the same type with higher "
1051 tony 1.1 "values. For ContainedTransforms (of the same type) that "
1052 "reference the same IPsecProposal, SequenceNumber values "
1053 "MUST be unique."),
1054 MappingStrings {"IPSP Policy Model.IETF|"
1055 "ContainedTransform.SequenceNumber"} ]
1056 uint16 SequenceNumber;
1057 };
1058
1059
1060 // ===================================================================
1061 // end of file
1062 // ===================================================================
|