1 tony 1.1 // ===================================================================
2 // Title: Network IPsec 2.8 Preliminary
3 // Filename: Network28_IPsec.mof
4 // Version: 2.8
5 // Status: Preliminary
6 // Date: August 18, 2003
7 // ===================================================================
8 // Copyright 1998-2003 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: The Network Model extends the management concepts to
45 // represent protocol interfaces and network/protocol
46 // services. This file defines the classes to manage
47 // an IPsec security association.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ==================================================================
53 // This model was originally introduced in CIM V2.6 Preliminary and
54 // was not promoted to Final status. The following CR updates the
55 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
56 // Working Group.
57 //
58 // Change log for 2.8
59 // CR1026 - Modifications to the V2.6 MOF for IPsec management
60 // ===================================================================
61
62 #pragma Locale ("en_US")
63
64 tony 1.1
65 // ==================================================================
66 // Security Association Endpoints
67 // ==================================================================
68
69 // ==================================================================
70 // SecurityAssociationEndpoint
71 // ==================================================================
72 [Experimental, Version ("2.7.1000"), Description (
73 "SecurityAssociationEndpoint (SAEndpoint) represents the "
74 "endpoint of a secure connection. This is typically an IP "
75 "connection, although the model allows more flexibility than "
76 "just IP. The SecurityAssociationEndpoint is tied to an "
77 "IPProtocolEndpoint (or possibly other endpoint) using the "
78 "LogicalIdentity association. Note that an endpoint is defined "
79 "at both ends of the connection.") ]
80 class CIM_SecurityAssociationEndpoint : CIM_ProtocolEndpoint {
81
82 [Override ("InstallDate"), Description (
83 "InstallDate records when the SA (and its endpoint) was "
84 "created.") ]
85 tony 1.1 datetime InstallDate;
86
87 [Description (
88 "LifetimeSeconds specifies the maximum time that the SA will "
89 "be considered valid after it has been created. A value of "
90 "zero indicates that the default of 8 hours be used. A "
91 "non-zero value indicates the seconds lifetime."),
92 Units ("Seconds") ]
93 uint64 LifetimeSeconds = 0;
94
95 [Write, Description (
96 "RefreshThresholdSecondsPercentage is the lifetime "
97 "percentage after which a new SA should be acquired, before "
98 "the existing SA expires. A random period may be added to a "
99 "calculated threshold to reduce network thrashing."),
100 Units ("Percent"), MinValue (0), MaxValue (100) ]
101 uint8 RefreshThresholdSecondsPercentage;
102
103 [Description (
104 "IdleDurationSeconds specifies how long the SA can be idle "
105 "before it is deleted. The default value, 0, indicates that "
106 tony 1.1 "there is no idle timeout period."),
107 Units ("Seconds") ]
108 uint64 IdleDurationSeconds = 0;
109
110 [Description (
111 "LifetimeKilobytes specifies the maximum number of kilobytes "
112 "of data traffic to be protected by the SA. A value of zero "
113 "(the default) indicates that there should be no maximum "
114 "kilobyte lifetime. A non-zero value specifies the desired "
115 "kilobyte lifetime. The SA is deleted when the "
116 "LifetimeKilobyte value is exceeded."),
117 Units ("KiloBytes") ]
118 uint64 LifetimeKilobytes = 0;
119
120 [Write, Description (
121 "RefreshThresholdKbytesPercentage is the lifetime percentage "
122 "of kilobytes processed, at which a new SA should be "
123 "acquired. A random value may be added to the calculated "
124 "threshold to reduce network thrashing."),
125 Units ("Percent"), MinValue (0), MaxValue (100) ]
126 uint8 RefreshThresholdKbytesPercentage;
127 tony 1.1
128 [Write, Description (
129 "PacketLoggingActive causes a log to be kept of traffic "
130 "processed by the SAEndpoint.") ]
131 boolean PacketLoggingActive;
132 };
133
134
135 // ==================================================================
136 // FilterOfSecurityAssociation
137 // ==================================================================
138 [Association, Experimental, Version ("2.7.1000"), Description (
139 "FilterOfSecurityAssociation associates a network traffic "
140 "specification (i.e., a FilterList) with a SecurityAssociation "
141 "Endpoint, to which the filter list applies.") ]
142 class CIM_FilterOfSecurityAssociation : CIM_Dependency {
143
144 [Override ("Antecedent"), Max (1), Description (
145 "FilterList describing the traffic to be selected/matched.") ]
146 CIM_FilterList REF Antecedent;
147
148 tony 1.1 [Override ("Dependent"), Description (
149 "SecurityAssociation using the FilterList as its traffic "
150 "selector.") ]
151 CIM_SecurityAssociationEndpoint REF Dependent;
152 };
153
154
155 // ==================================================================
156 // SAEndpointConnectionStatistics
157 // ==================================================================
158 [Experimental, Version ("2.7.1000"), Description (
159 "This class captures statistical and time-related information "
160 "about the use of the IPsec or IKE Security Associations, "
161 "through their IPsecSAEndpoint or IKESAEndpoint. The relevant "
162 "SAEndpoint is determined by traversing the "
163 "ElementStatisticalData association.") ]
164 class CIM_SAEndpointConnectionStatistics : CIM_StatisticalData {
165
166 [Description (
167 "Number of bytes that have been protected by the associated "
168 "SAEndpoint."),
169 tony 1.1 Units ("Bytes"), Counter ]
170 uint64 ByteCount;
171
172 [Description (
173 "LastAccessed indicates when the SAEndpoint was last used. "
174 "This property is helpful in determining if the SA (and its "
175 "endpoint) will be deleted due to sitting idle.") ]
176 datetime LastAccessed;
177 };
178
179
180 // ==================================================================
181 // SAEndpointRefreshSettings
182 // ==================================================================
183 [Experimental, Version ("2.7.1000"), Description (
184 "SAEndpointRefreshSettings hold the refresh thresholds for the "
185 "SecurityAssociationEndpoint. Since these settings may change "
186 "for an SA, the properties are defined both in this class and "
187 "in SecurityAssociationEndpoint.") ]
188 class CIM_SAEndpointRefreshSettings: CIM_SettingData {
189
190 tony 1.1 [Write, Description (
191 "RefreshThresholdSecondsPercentage is the lifetime "
192 "percentage after which a new SA should be acquired, before "
193 "the existing SA expires."),
194 Units ("Percent"), MinValue (0), MaxValue (100),
195 ModelCorrespondence {"CIM_SecurityAssociationEndpoint."
196 "RefreshThresholdSecondsPercentage"} ]
197 uint8 RefreshThresholdSecondsPercentage;
198
199 [Write, Description (
200 "RefreshThresholdKbytesPercentage is the lifetime percentage "
201 "of kilobytes processed, at which a new SA should be "
202 "acquired."),
203 Units ("Percent"), MinValue (0), MaxValue (100),
204 ModelCorrespondence {"CIM_SecurityAssociationEndpoint."
205 "RefreshThresholdKbytesPercentage"} ]
206 uint8 RefreshThresholdKbytesPercentage;
207 };
208
209
210 // ==================================================================
211 tony 1.1 // IPsecSAEndpoint
212 // ==================================================================
213 [Experimental, Version ("2.7.1000"), Description (
214 "IPsecSAEndpoints are types of SecurityAssociationEndpoints "
215 "representing both negotiated and static SAs that correspond to "
216 "AH, ESP, or IPCOMP transforms.") ]
217 class CIM_IPsecSAEndpoint : CIM_SecurityAssociationEndpoint {
218
219 [Description (
220 "SPI contains the Security Parameter Index of the SA. This "
221 "value in string form may also be used in the key field "
222 "'Name' inherited from ServiceAccessPoint.") ]
223 uint32 SPI;
224
225 [Description (
226 "InboundDirection specifies whether the SA applies to "
227 "inbound (TRUE) or outbound (FALSE) traffic.") ]
228 boolean InboundDirection;
229
230 [Description (
231 "EncapsulationMode indicates whether the IPsecSAEndpoint "
232 tony 1.1 "uses transport or tunnel encapsulation."),
233 ValueMap {"0", "2", "3"},
234 Values {"Unknown", "Tunnel", "Transport"} ]
235 uint16 EncapsulationMode;
236
237 [Description (
238 "DFHandling controls how the 'Don't Fragment' bit is managed "
239 "by the IPsecSAEndpoint."),
240 ValueMap {"0", "2", "3", "4"},
241 Values {"Unknown", "Copy from Internal to External IP Header",
242 "Set DF Bit in External Header to 1",
243 "Set DF Bit in External Header to 0"} ]
244 uint16 DFHandling;
245
246 [Description (
247 "PFSInUse indicates whether perfect forward secrecy is "
248 "required when refreshing keys.") ]
249 boolean PFSInUse;
250 };
251
252
253 tony 1.1 // ==================================================================
254 // PeerOfIPsecSAEndpoint
255 // ==================================================================
256 [Association, Experimental, Version ("2.7.1000"), Description (
257 "PeerOfIPsecSAEndpoint identifies the peer of the "
258 "IPsecSAEndpoint.") ]
259 class CIM_PeerOfIPsecSAEndpoint : CIM_Dependency {
260
261 [Override ("Antecedent"), Max (1), Description (
262 "The peer for the SAEndpoint.") ]
263 CIM_RemoteServiceAccessPoint REF Antecedent;
264
265 [Override ("Dependent"), Description (
266 "The IPsecSAEndpoint which has a peer.") ]
267 CIM_IPsecSAEndpoint REF Dependent;
268 };
269
270
271 // ==================================================================
272 // IKESAEndpoint
273 // ==================================================================
274 tony 1.1 [Experimental, Version ("2.7.1000"), Description (
275 "IKESAEndpoint is created in the first phase of SA negotiation "
276 "and protects the key negotiation traffic. This endpoint is "
277 "only created when IKE is the key exchange protocol. Other "
278 "protocols and their endpoints will be defined in a future "
279 "release.") ]
280 class CIM_IKESAEndpoint : CIM_SecurityAssociationEndpoint {
281
282 [Description (
283 "Identifier of the IKE phase 1 negotiation initiator. "
284 "Combined with the ResponderCookie, this value, in string "
285 "form, may be used to construct the value of the key field "
286 "'Name', inherited from ServiceAccessPoint.") ]
287 uint64 InitiatorCookie;
288
289 [Description (
290 "Identifier of the IKE phase 1 negotiation responder. "
291 "Combined with the InitiatorCookie, this value, in string "
292 "form, may be used to construct the value of the key field "
293 "'Name', inherited from ServiceAccessPoint.") ]
294 uint64 ResponderCookie;
295 tony 1.1
296 [Description (
297 "CipherAlgorithm is an enumeration that specifies the "
298 "encryption algorithm used by the IKESAEndpoint. The list "
299 "of algorithms was generated from Appendix A of RFC2409. "
300 "Note that the enumeration is different than the RFC list, "
301 "since the values of Unknown and Other are taken into "
302 "account."),
303 ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8..65000",
304 "65001..65535"},
305 Values {"Unknown", "Other", "DES", "IDEA", "Blowfish", "RC5",
306 "3DES", "CAST", "DMTF/IANA Reserved", "Vendor Reserved"},
307 MappingStrings {"RFC2409.IETF|Appendix A"},
308 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm"} ]
309 uint16 CipherAlgorithm;
310
311 [Description (
312 "Description of the encryption algorithm when the value 1 "
313 "(\"Other\") is specified for the property, "
314 "CipherAlgorithm."),
315 ModelCorrespondence {"CIM_IKESAEndpoint.CipherAlgorithm"} ]
316 tony 1.1 string OtherCipherAlgorithm;
317
318 [Description (
319 "HashAlgorithm is an enumeration that specifies the hash "
320 "function used by the IKESAEndpoint. The list of algorithms "
321 "was generated from Appendix A of RFC2409. Note that the "
322 "enumeration is different than the RFC list, since the "
323 "values of Unknown and Other are taken into account."),
324 ValueMap {"0", "1", "2", "3", "4", "5..65000", "65001..65535"},
325 Values {"Unknown", "Other", "MD5", "SHA-1", "Tiger",
326 "DMTF/IANA Reserved", "Vendor Reserved"},
327 MappingStrings {"RFC2409.IETF|Appendix A"},
328 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm"} ]
329 uint16 HashAlgorithm;
330
331 [Description (
332 "Description of the hash function when the value 1 "
333 "(\"Other\") is specified for the property, HashAlgorithm."),
334 ModelCorrespondence {"CIM_IKESAEndpoint.HashAlgorithm"} ]
335 string OtherHashAlgorithm;
336
337 tony 1.1 [Description (
338 "AuthenticationMethod is an enumeration that specifies the "
339 "operation of the IKESAEndpoint. The list of methods was "
340 "generated from Appendix A of RFC2409. Note that the "
341 "enumeration is different than the RFC list, since the "
342 "values of Unknown and Other are taken into account."),
343 ValueMap {"0", "1", "2", "3", "4", "5", "6", "7..65000",
344 "65001..65535"},
345 Values {"Unknown", "Other", "Pre-shared Key", "DSS Signatures",
346 "RSA Signatures", "Encryption with RSA",
347 "Revised Encryption with RSA", "DMTF/IANA Reserved",
348 "Vendor Reserved"},
349 MappingStrings {"RFC2409.IETF|Appendix A"},
350 ModelCorrespondence {
351 "CIM_IKESAEndpoint.OtherAuthenticationMethod"} ]
352 uint16 AuthenticationMethod;
353
354 [Description (
355 "Description of the method when the value 1 (\"Other\") is "
356 "specified for the property, AuthenticationMethod."),
357 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod"} ]
358 tony 1.1 string OtherAuthenticationMethod;
359
360 [Description (
361 "GroupId specifies the key exchange group ID. If the "
362 "GroupID number is from the vendor-specific range "
363 "(32768-65535), the VendorID qualifies the group number. "
364 "Well-known group identifiers from RFC2412, Appendix E, are: "
365 "Group 1='768 bit prime', Group 2='1024 bit prime', Group 3= "
366 "'Elliptic Curve Group with 155 bit field element', Group 4= "
367 "'Large Elliptic Curve Group with 185 bit field element', "
368 "and Group 5='1536 bit prime'."),
369 ValueMap {"0", "1", "2", "3", "4", "5", "..", "0x8000.."},
370 Values {"No Group/Non-Diffie-Hellman Exchange",
371 "DH-768 bit prime", "DH-1024 bit prime",
372 "EC2N-155 bit field element", "EC2N-185 bit field element",
373 "DH-1536 bit prime", "Standard Group - Reserved",
374 "Vendor Reserved"},
375 MappingStrings {"RFC2412.IETF|Appendix E"},
376 ModelCorrespondence {"CIM_IKESAEndpoint.VendorID"} ]
377 uint16 GroupId;
378
379 tony 1.1 [Description (
380 "VendorID identifies the vendor when the value of GroupID is "
381 "in the vendor-specific range, 32768 to 65535."),
382 ModelCorrespondence {"CIM_IKESAEndpoint.GroupId"} ]
383 string VendorID;
384 };
385
386
387 // ==================================================================
388 // Phase1SAUsedForPhase2
389 // ==================================================================
390 [Association, Experimental, Version ("2.7.1000"), Description (
391 "Phase1SAUsedForPhase2 associates a phase 1 endpoint (such as "
392 "an IKESAEndpoint) with an IPsecSAEndpoint that was negotiated "
393 "using that phase 1 Security Association.") ]
394 class CIM_Phase1SAUsedForPhase2 : CIM_Dependency {
395
396 [Override ("Antecedent"), Max (1), Description (
397 "Phase 1 SAEndpoint that protected the negotiation of the "
398 "phase 2 Security Association. An example of a phase 1 "
399 "endpoint is an IKESAEndpoint.") ]
400 tony 1.1 CIM_SecurityAssociationEndpoint REF Antecedent;
401
402 [Override ("Dependent"), Description (
403 "The phase 2 SAEndpoint.") ]
404 CIM_IPsecSAEndpoint REF Dependent;
405 };
406
407
408 // ==================================================================
409 // Security Association Transforms
410 // ==================================================================
411
412 // ==================================================================
413 // SATransform
414 // ==================================================================
415 [Experimental, Abstract, Version ("2.7.1000"), Description (
416 "SATransform is the base class for the various types of "
417 "transforms that are in effect for an existing IPsecSAEndpoint, "
418 "or aggregated into phase 2 proposals used during the IPsec "
419 "negotiation process. This class is defined as a kind of "
420 "ScopedSettingData, since it describes the set of transform "
421 tony 1.1 "properties that MUST be applied together, if negotiated. This "
422 "subclassing is different than that defined in IETF's IPSP "
423 "Policy draft - where it is subclassed from Policy. The "
424 "definition as SettingData is more consistent with the "
425 "application of the properties as a set, to the negotiated "
426 "Security Association.\n"
427 "\n"
428 "Note that an instance of this class is 'scoped' or contained "
429 "by a System (either a ComputerSystem or AdminDomain), rather "
430 "than by a SecurityAssociationEndpoint. This is indicated by "
431 "instantiating the ScopedSetting association, and is necessary "
432 "since the transform data is used in IPsec negotiation policies "
433 "(also scoped by Systems) before ever being associated with a "
434 "SecurityAssociationEndpoint. The latter semantics (i.e., that "
435 "'this' transform is negotiated for 'this' Security "
436 "Association) is conveyed via a subclass of ElementSettingData, "
437 "TransformOfSecurityAssociation."),
438 MappingStrings {"IPSP Model.IETF|SATransform"} ]
439 class CIM_SATransform : CIM_ScopedSettingData {
440
441 [Override ("ElementName"),
442 tony 1.1 MappingStrings {"IPSP Model.IETF|SATransform.CommonName"} ]
443 string ElementName;
444
445 [Description (
446 "MaxLifetimeSeconds specifies the maximum time that the "
447 "Security Association should be considered valid after it "
448 "has been created. A value of 0, the default, indicates "
449 "that 8 hours should be used. A non-zero value indicates "
450 "the maximum lifetime in seconds."),
451 Units ("Seconds"),
452 MappingStrings { "IPSP "
453 "Model.IETF|SATransform.MaxLifetimeSeconds"} ]
454 uint64 MaxLifetimeSeconds = 0;
455
456 [Description (
457 "MaxLifetimeKilobytes specifies the maximum kilobyte "
458 "lifetime for a Security Association. Different lifetimes "
459 "are used, depending on the strength of the encryption "
460 "algorithm. A value of 0, the default, indicates that no "
461 "maximum should be defined. A non-zero value specifies the "
462 "desired kilobyte lifetime."),
463 tony 1.1 Units ("KiloBytes"),
464 MappingStrings { "IPSP "
465 "Model.IETF|SATransform.MaxLifetimeKilobytes"} ]
466 uint64 MaxLifetimeKilobytes = 0;
467
468 [Description (
469 "VendorID identifies vendor-defined transforms. If this "
470 "field is empty (the default), then this is a standard "
471 "transform."),
472 MappingStrings {"IPSP Model.IETF|SATransform.VendorID"} ]
473 string VendorID = "";
474 };
475
476
477 // ==================================================================
478 // TransformOfSecurityAssociation
479 // ==================================================================
480 [Association, Experimental, Version ("2.7.1000"), Description (
481 "TransformOfSecurityAssociation maps a SecurityAssociation "
482 "Endpoint with the transform that it uses. For security, no "
483 "keying material of the SA is exposed.") ]
484 tony 1.1 class CIM_TransformOfSecurityAssociation : CIM_ElementSettingData {
485
486 [Override ("SettingData"), Min (1), Max (1), Description (
487 "Transform of the IPsecSAEndpoint.") ]
488 CIM_SATransform REF SettingData;
489
490 [Override ("ManagedElement"), Description (
491 "The IPsecSAEndpoint that uses the transform.") ]
492 CIM_IPsecSAEndpoint REF ManagedElement;
493 };
494
495
496 // ==================================================================
497 // AHTransform
498 // ==================================================================
499 [Experimental, Version ("2.7.1000"), Description (
500 "AHTransform defines the parameters used for a phase 2 AH "
501 "(Authentication Header) Security Association."),
502 MappingStrings {"IPSP Model.IETF|AHTransform"} ]
503 class CIM_AHTransform : CIM_SATransform {
504
505 tony 1.1 [Description (
506 "AHTransformId is an enumeration that specifies the hash "
507 "algorithm to be used. The list of values was generated "
508 "from RFC2407, Section 4.4.3."),
509 ValueMap {"1", "2", "3", "4"},
510 Values {"Other", "MD5", "SHA-1", "DES"},
511 MappingStrings { "IPSP Model.IETF|AHTransform.AHTransformID",
512 "RFC2407.IETF|Section 4.4.3"},
513 ModelCorrespondence {"CIM_AHTransform.OtherTransformId"} ]
514 uint16 AHTransformId;
515
516 [Description (
517 "Description of the hash algorithm when the value 1 "
518 "(\"Other\") is specified for the property, AHTransformId."),
519 ModelCorrespondence {"CIM_AHTransform.AHTransformId"} ]
520 string OtherAHTransformId;
521
522 [Description (
523 "UseReplayPrevention causes the local peer to enable replay "
524 "prevention detection. This can be accomplished by using a "
525 "sequence number when sending a packet or checking the "
526 tony 1.1 "sequence number upon receipt of a packet."),
527 MappingStrings { "IPSP "
528 "Model.IETF|AHTransform.UseReplayPrevention"} ]
529 boolean UseReplayPrevention;
530
531 [Description (
532 "ReplayPreventionWindowsSize specifies, in bits, the length "
533 "of the sliding window used by the replay prevention "
534 "mechanism. The value of this property is meaningless if "
535 "UseReplayPrevention is false. The window size MUST be a "
536 "power of 2."),
537 Units ("Bits"),
538 MappingStrings { "IPSP "
539 "Model.IETF|AHTransform.ReplayPreventionWindowSize"} ]
540 uint32 ReplayPreventionWindowSize;
541 };
542
543
544 // ==================================================================
545 // ESPTransform
546 // ==================================================================
547 tony 1.1 [Experimental, Version ("2.7.1000"), Description (
548 "ESPTransform defines the parameters used for a phase 2 ESP "
549 "(Encapsulating Security Protocol) Security Association."),
550 MappingStrings {"IPSP Model.IETF|ESPTransform"} ]
551 class CIM_ESPTransform : CIM_SATransform {
552
553 [Description (
554 "IntegrityTransformId is an enumeration that specifies the "
555 "ESP integrity algorithm to be used. The list of values is "
556 "generated from the enumeration defined in RFC2407, Section "
557 "4.5. Note that the enumeration is different than the RFC "
558 "list, since the values of Other and None are taken into "
559 "account. Also, note that 2 (\"None\") is used when ESP is "
560 "negotiated without authentication."),
561 ValueMap {"1", "2", "3", "4", "5", "6", "7..61439",
562 "61440..65535"},
563 Values {"Other", "None", "MD5", "SHA-1", "DES", "KPDK",
564 "DMTF/IANA Reserved", "Vendor Reserved"},
565 MappingStrings { "IPSP Model."
566 "IETF|ESPTransform.IntegrityTransformId",
567 "RFC2407.IETF|Section 4.5"},
568 tony 1.1 ModelCorrespondence {
569 "CIM_ESPTransform.OtherIntegrityTransformId"} ]
570 uint16 IntegrityTransformId;
571
572 [Description (
573 "Description of the integrity algorithm when the value 1 "
574 "(\"Other\") is specified for the property, "
575 "IntegrityTransformId."),
576 ModelCorrespondence {"CIM_ESPTransform.IntegrityTransformId"} ]
577 string OtherIntegrityTransformId;
578
579 [Description (
580 "CipherTransformId is an enumeration that specifies the ESP "
581 "encrypion algorithm to be used. The list of values is "
582 "defined in RFC2407, Section 4.4.4, where the RFC's NULL "
583 "value maps to 2-\"None\". Note that the enumeration is "
584 "different than the RFC list, since 'Other' is added to the "
585 "enumeration."),
586 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
587 "11", "12"},
588 Values {"Other", "None", "DES_IV64", "DES", "3DES", "RC5",
589 tony 1.1 "IDEA", "CAST", "Blowfish", "3-IDEA", "DES_IV32", "RC4"},
590 MappingStrings { "IPSP "
591 "Model.IETF|ESPTransform.CipherTransformId",
592 "RFC2407.IETF|Section 4.4.4"},
593 ModelCorrespondence { "CIM_ESPTransform.OtherCipherTransformId"} ]
594 uint16 CipherTransformId;
595
596 [Description (
597 "Description of the encryption algorithm when the value 1 "
598 "(\"Other\") is specified for the property, "
599 "CipherTransformId."),
600 ModelCorrespondence {"CIM_ESPTransform.CipherTransformId"} ]
601 string OtherCipherTransformId;
602
603 [Description (
604 "CipherKeyLength specifies, in bits, the key length for the "
605 "encryption algorithm. For algorithms with fixed key "
606 "lengths, this value is ignored."),
607 Units ("Bits"),
608 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyLength"} ]
609 uint16 CipherKeyLength;
610 tony 1.1
611 [Description (
612 "CipherKeyRounds specifies the key rounds for the encryption "
613 "algorithm. For algorithms with a fixed number of key "
614 "rounds, this value is ignored. Currently, key rounds are "
615 "NOT defined for any ESP encryption algorithms."),
616 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyRounds"} ]
617 uint16 CipherKeyRounds;
618
619 [Description (
620 "UseReplayPrevention causes the local peer to enable replay "
621 "prevention detection. This can be accomplished by using a "
622 "sequence number when sending a packet or checking the "
623 "sequence number upon receipt of a packet."),
624 MappingStrings { "IPSP "
625 "Model.IETF|ESPTransform.UseReplayPrevention"} ]
626 boolean UseReplayPrevention;
627
628 [Description (
629 "ReplayPreventionWindowsSize specifies, in bits, the length "
630 "of the sliding window used by the replay prevention "
631 tony 1.1 "mechanism. The value of this property is meaningless if "
632 "UseReplayPrevention is false. The window size MUST be a "
633 "power of 2."),
634 Units ("Bits"),
635 MappingStrings { "IPSP "
636 "Model.IETF|ESPTransform.ReplayPreventionWindowSize"} ]
637 uint32 ReplayPreventionWindowSize;
638 };
639
640
641 // ==================================================================
642 // IPCOMPTransform
643 // ==================================================================
644 [Experimental, Version ("2.7.1000"), Description (
645 "The IPCOMPTransform specifies the IP compression algorithm to "
646 "use for payload of the Security Association."),
647 MappingStrings {"IPSP Model.IETF|IPCOMPTransform"} ]
648 class CIM_IPCOMPTransform : CIM_SATransform {
649
650 [Description (
651 "The Algorithm is an enumeration that designates the IPCOMP "
652 tony 1.1 "compression algorithm to use. Its values are generated "
653 "from RFC2407, Section 4.4.5. Note that the values are "
654 "modified from the RFC, since 'Other' must be taken into "
655 "account."),
656 ValueMap {"1", "2", "3", "4"},
657 Values {"Other", "Vendor Algorithm/OUI", "DEFLATE", "LZS"},
658 MappingStrings {"IPSP Model.IETF|IPCOMPTransform.Algorithm",
659 "RFC2407.IETF|Section 4.4.5"},
660 ModelCorrespondence {"CIM_IPCOMPTransform.PrivateAlgorithm",
661 "CIM_IPCOMPTransform.OtherAlgorithm"} ]
662 uint16 Algorithm;
663
664 [Description (
665 "Description of the compression algorithm when the value 1 "
666 "(\"Other\") is specified for the property, Algorithm."),
667 ModelCorrespondence {"CIM_IPCOMPTransform.Algorithm"} ]
668 string OtherAlgorithm;
669
670 [Description (
671 "A private compression algorithm, used when the Algorithm "
672 "property is set to 2, \"Vendor Algorithm/OUI\"."),
673 tony 1.1 MappingStrings { "IPSP "
674 "Model.IETF|IPCOMPTransform.PrivateAlgorithm"},
675 ModelCorrespondence {"CIM_IPCOMPTransform.Algorithm"} ]
676 uint32 PrivateAlgorithm;
677
678 [Description (
679 "DictionarySize is an optional field that specifies the log2 "
680 "maximum size of the dictionary for the compression "
681 "algorithm. For dictionaries that have a fixed size, this "
682 "value is ignored."),
683 MappingStrings { "IPSP "
684 "Model.IETF|IPCOMPTransform.DictionarySize"} ]
685 uint16 DictionarySize;
686 };
687
688
689 // ===================================================================
690 // end of file
691 // ===================================================================
|