1 karl 1.1 // ===================================================================
2 // Title: Network IPSec
3 // $State: Preliminary $
4 // $Date: 2004/06/28 18:01:03 $
5 // $Source: /home/dmtf2/dotorg/var/cvs/repositories/dev/Schema/MOF/Network_IPsec.mof,v $
6 // $Revision: 1.4 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2004 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 karl 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 karl 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: The Network Model extends the management concepts to
47 // represent protocol interfaces and network/protocol
48 // services. This file defines the classes to manage
49 // an IPsec security association.
50 //
51 // The object classes below are listed in an order that
52 // avoids forward references. Required objects, defined
53 // by other working groups, are omitted.
54 // ==================================================================
55 // This model was originally introduced in CIM V2.6 Preliminary and
56 // was not promoted to Final status. The following CR updates the
57 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
58 // Working Group.
59 // CR1026 - Modifications to the V2.6 MOF for IPsec management
60 // Change Log CIM V2.8
61 // CR1194 - Promote all classes to final
62 // CR1238 - Fix model correspondece reference problems in final version
63 //
64 karl 1.1 // Change Log for V2.9
65 // No changes
66 // ===================================================================
67
68 #pragma Locale ("en_US")
69
70
71 // ==================================================================
72 // Security Association Endpoints
73 // ==================================================================
74
75 // ==================================================================
76 // SecurityAssociationEndpoint
77 // ==================================================================
78 [Version ( "2.8.0" ), Description (
79 "SecurityAssociationEndpoint (SAEndpoint) represents the "
80 "endpoint of a secure connection. This is typically an IP "
81 "connection, although the model allows more flexibility than "
82 "just IP. The SecurityAssociationEndpoint is tied to an "
83 "IPProtocolEndpoint (or possibly other endpoint) using the "
84 "LogicalIdentity association. Note that an endpoint is defined "
85 karl 1.1 "at both ends of the connection.")]
86 class CIM_SecurityAssociationEndpoint : CIM_ProtocolEndpoint {
87
88 [Override ( "InstallDate" ), Description (
89 "InstallDate records when the SA (and its endpoint) was "
90 "created.")]
91 datetime InstallDate;
92
93 [Description (
94 "LifetimeSeconds specifies the maximum time that the SA will "
95 "be considered valid after it has been created. A value of "
96 "zero indicates that the default of 8 hours be used. A "
97 "non-zero value indicates the seconds lifetime."),
98 Units ( "Seconds" )]
99 uint64 LifetimeSeconds = 0;
100
101 [Write, Description (
102 "RefreshThresholdSecondsPercentage is the lifetime "
103 "percentage after which a new SA should be acquired, before "
104 "the existing SA expires. A random period may be added to a "
105 "calculated threshold to reduce network thrashing."),
106 karl 1.1 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 )]
107 uint8 RefreshThresholdSecondsPercentage;
108
109 [Description (
110 "IdleDurationSeconds specifies how long the SA can be idle "
111 "before it is deleted. The default value, 0, indicates that "
112 "there is no idle timeout period."),
113 Units ( "Seconds" )]
114 uint64 IdleDurationSeconds = 0;
115
116 [Description (
117 "LifetimeKilobytes specifies the maximum number of kilobytes "
118 "of data traffic to be protected by the SA. A value of zero "
119 "(the default) indicates that there should be no maximum "
120 "kilobyte lifetime. A non-zero value specifies the desired "
121 "kilobyte lifetime. The SA is deleted when the "
122 "LifetimeKilobyte value is exceeded."),
123 Units ( "KiloBytes" )]
124 uint64 LifetimeKilobytes = 0;
125
126 [Write, Description (
127 karl 1.1 "RefreshThresholdKbytesPercentage is the lifetime percentage "
128 "of kilobytes processed, at which a new SA should be "
129 "acquired. A random value may be added to the calculated "
130 "threshold to reduce network thrashing."),
131 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 )]
132 uint8 RefreshThresholdKbytesPercentage;
133
134 [Write, Description (
135 "PacketLoggingActive causes a log to be kept of traffic "
136 "processed by the SAEndpoint.")]
137 boolean PacketLoggingActive;
138 };
139
140
141 // ==================================================================
142 // FilterOfSecurityAssociation
143 // ==================================================================
144 [Association, Version ( "2.8.0" ), Description (
145 "FilterOfSecurityAssociation associates a network traffic "
146 "specification (i.e., a FilterList) with a SecurityAssociation "
147 "Endpoint, to which the filter list applies.")]
148 karl 1.1 class CIM_FilterOfSecurityAssociation : CIM_Dependency {
149
150 [Override ( "Antecedent" ), Max ( 1 ), Description (
151 "FilterList describing the traffic to be selected/matched.")]
152 CIM_FilterList REF Antecedent;
153
154 [Override ( "Dependent" ), Description (
155 "SecurityAssociation using the FilterList as its traffic "
156 "selector.")]
157 CIM_SecurityAssociationEndpoint REF Dependent;
158 };
159
160
161 // ==================================================================
162 // SAEndpointConnectionStatistics
163 // ==================================================================
164 [Version ( "2.8.0" ), Description (
165 "This class captures statistical and time-related information "
166 "about the use of the IPsec or IKE Security Associations, "
167 "through their IPsecSAEndpoint or IKESAEndpoint. The relevant "
168 "SAEndpoint is determined by traversing the "
169 karl 1.1 "ElementStatisticalData association.")]
170 class CIM_SAEndpointConnectionStatistics : CIM_StatisticalData {
171
172 [Description (
173 "Number of bytes that have been protected by the associated "
174 "SAEndpoint."),
175 Units ( "Bytes" ), Counter]
176 uint64 ByteCount;
177
178 [Description (
179 "LastAccessed indicates when the SAEndpoint was last used. "
180 "This property is helpful in determining if the SA (and its "
181 "endpoint) will be deleted due to sitting idle.")]
182 datetime LastAccessed;
183 };
184
185
186 // ==================================================================
187 // SAEndpointRefreshSettings
188 // ==================================================================
189 [Version ( "2.8.0" ), Description (
190 karl 1.1 "SAEndpointRefreshSettings hold the refresh thresholds for the "
191 "SecurityAssociationEndpoint. Since these settings may change "
192 "for an SA, the properties are defined both in this class and "
193 "in SecurityAssociationEndpoint.")]
194 class CIM_SAEndpointRefreshSettings : CIM_SettingData {
195
196 [Write, Description (
197 "RefreshThresholdSecondsPercentage is the lifetime "
198 "percentage after which a new SA should be acquired, before "
199 "the existing SA expires."),
200 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 ),
201 ModelCorrespondence { "CIM_SecurityAssociationEndpoint."
202 "RefreshThresholdSecondsPercentage" }]
203 uint8 RefreshThresholdSecondsPercentage;
204
205 [Write, Description (
206 "RefreshThresholdKbytesPercentage is the lifetime percentage "
207 "of kilobytes processed, at which a new SA should be "
208 "acquired."),
209 Units ( "Percent" ), MinValue ( 0 ), MaxValue ( 100 ),
210 ModelCorrespondence { "CIM_SecurityAssociationEndpoint."
211 karl 1.1 "RefreshThresholdKbytesPercentage" }]
212 uint8 RefreshThresholdKbytesPercentage;
213 };
214
215
216 // ==================================================================
217 // IPsecSAEndpoint
218 // ==================================================================
219 [Version ( "2.8.0" ), Description (
220 "IPsecSAEndpoints are types of SecurityAssociationEndpoints "
221 "representing both negotiated and static SAs that correspond to "
222 "AH, ESP, or IPCOMP transforms.")]
223 class CIM_IPsecSAEndpoint : CIM_SecurityAssociationEndpoint {
224
225 [Description (
226 "SPI contains the Security Parameter Index of the SA. This "
227 "value in string form may also be used in the key field "
228 "'Name' inherited from ServiceAccessPoint.")]
229 uint32 SPI;
230
231 [Description (
232 karl 1.1 "InboundDirection specifies whether the SA applies to "
233 "inbound (TRUE) or outbound (FALSE) traffic.")]
234 boolean InboundDirection;
235
236 [Description (
237 "EncapsulationMode indicates whether the IPsecSAEndpoint "
238 "uses transport or tunnel encapsulation."),
239 ValueMap { "0", "2", "3" },
240 Values { "Unknown", "Tunnel", "Transport" }]
241 uint16 EncapsulationMode;
242
243 [Description (
244 "DFHandling controls how the 'Don't Fragment' bit is managed "
245 "by the IPsecSAEndpoint."),
246 ValueMap { "0", "2", "3", "4" },
247 Values { "Unknown", "Copy from Internal to External IP Header",
248 "Set DF Bit in External Header to 1",
249 "Set DF Bit in External Header to 0" }]
250 uint16 DFHandling;
251
252 [Description (
253 karl 1.1 "PFSInUse indicates whether perfect forward secrecy is "
254 "required when refreshing keys.")]
255 boolean PFSInUse;
256 };
257
258
259 // ==================================================================
260 // PeerOfIPsecSAEndpoint
261 // ==================================================================
262 [Association, Version ( "2.8.0" ), Description (
263 "PeerOfIPsecSAEndpoint identifies the peer of the "
264 "IPsecSAEndpoint.")]
265 class CIM_PeerOfSAEndpoint : CIM_Dependency {
266
267 [Override ( "Antecedent" ), Max ( 1 ), Description (
268 "The peer for the SAEndpoint.")]
269 CIM_RemoteServiceAccessPoint REF Antecedent;
270
271 [Override ( "Dependent" ), Description (
272 "The IPsecSAEndpoint which has a peer.")]
273 CIM_IPsecSAEndpoint REF Dependent;
274 karl 1.1 };
275
276
277 // ==================================================================
278 // IKESAEndpoint
279 // ==================================================================
280 [Version ( "2.8.0" ), Description (
281 "IKESAEndpoint is created in the first phase of SA negotiation "
282 "and protects the key negotiation traffic. This endpoint is "
283 "only created when IKE is the key exchange protocol. Other "
284 "protocols and their endpoints will be defined in a future "
285 "release.")]
286 class CIM_IKESAEndpoint : CIM_SecurityAssociationEndpoint {
287
288 [Description (
289 "Identifier of the IKE phase 1 negotiation initiator. "
290 "Combined with the ResponderCookie, this value, in string "
291 "form, may be used to construct the value of the key field "
292 "'Name', inherited from ServiceAccessPoint.")]
293 uint64 InitiatorCookie;
294
295 karl 1.1 [Description (
296 "Identifier of the IKE phase 1 negotiation responder. "
297 "Combined with the InitiatorCookie, this value, in string "
298 "form, may be used to construct the value of the key field "
299 "'Name', inherited from ServiceAccessPoint.")]
300 uint64 ResponderCookie;
301
302 [Description (
303 "CipherAlgorithm is an enumeration that specifies the "
304 "encryption algorithm used by the IKESAEndpoint. The list of "
305 "algorithms was generated from Appendix A of RFC2409. Note "
306 "that the enumeration is different than the RFC list, since "
307 "the values of Unknown and Other are taken into account."),
308 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8..65000",
309 "65001..65535" },
310 Values { "Unknown", "Other", "DES", "IDEA", "Blowfish", "RC5",
311 "3DES", "CAST", "DMTF/IANA Reserved", "Vendor Reserved" },
312 MappingStrings { "RFC2409.IETF|Appendix A" },
313 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm" }]
314 uint16 CipherAlgorithm;
315
316 karl 1.1 [Description (
317 "Description of the encryption algorithm when the value 1 "
318 "(\"Other\") is specified for the property, CipherAlgorithm."),
319 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm" }]
320 string OtherCipherAlgorithm;
321
322 [Description (
323 "HashAlgorithm is an enumeration that specifies the hash "
324 "function used by the IKESAEndpoint. The list of algorithms "
325 "was generated from Appendix A of RFC2409. Note that the "
326 "enumeration is different than the RFC list, since the "
327 "values of Unknown and Other are taken into account."),
328 ValueMap { "0", "1", "2", "3", "4", "5..65000", "65001..65535" },
329 Values { "Unknown", "Other", "MD5", "SHA-1", "Tiger",
330 "DMTF/IANA Reserved", "Vendor Reserved" },
331 MappingStrings { "RFC2409.IETF|Appendix A" },
332 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm" }]
333 uint16 HashAlgorithm;
334
335 [Description (
336 "Description of the hash function when the value 1 "
337 karl 1.1 "(\"Other\") is specified for the property, HashAlgorithm."),
338 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm" }]
339 string OtherHashAlgorithm;
340
341 [Description (
342 "AuthenticationMethod is an enumeration that specifies the "
343 "operation of the IKESAEndpoint. The list of methods was "
344 "generated from Appendix A of RFC2409. Note that the "
345 "enumeration is different than the RFC list, since the "
346 "values of Unknown and Other are taken into account."),
347 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7..65000",
348 "65001..65535" },
349 Values { "Unknown", "Other", "Pre-shared Key", "DSS Signatures",
350 "RSA Signatures", "Encryption with RSA",
351 "Revised Encryption with RSA", "DMTF/IANA Reserved",
352 "Vendor Reserved" },
353 MappingStrings { "RFC2409.IETF|Appendix A" },
354 ModelCorrespondence {
355 "CIM_IKESAEndpoint.OtherAuthenticationMethod" }]
356 uint16 AuthenticationMethod;
357
358 karl 1.1 [Description (
359 "Description of the method when the value 1 (\"Other\") is "
360 "specified for the property, AuthenticationMethod."),
361 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod" }]
362 string OtherAuthenticationMethod;
363
364 [Description (
365 "GroupId specifies the key exchange group ID. If the GroupID "
366 "number is from the vendor-specific range (32768-65535), the "
367 "VendorID qualifies the group number. Well-known group "
368 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
369 "prime', Group 2='1024 bit prime', Group 3= 'Elliptic Curve "
370 "Group with 155 bit field element', Group 4= 'Large Elliptic "
371 "Curve Group with 185 bit field element', and Group 5='1536 "
372 "bit prime'."),
373 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
374 Values { "No Group/Non-Diffie-Hellman Exchange",
375 "DH-768 bit prime", "DH-1024 bit prime",
376 "EC2N-155 bit field element", "EC2N-185 bit field element",
377 "DH-1536 bit prime", "Standard Group - Reserved",
378 "Vendor Reserved" },
379 karl 1.1 MappingStrings { "RFC2412.IETF|Appendix E" },
380 ModelCorrespondence { "CIM_IKESAEndpoint.VendorID" }]
381 uint16 GroupId;
382
383 [Description (
384 "VendorID identifies the vendor when the value of GroupID is "
385 "in the vendor-specific range, 32768 to 65535."),
386 ModelCorrespondence { "CIM_IKESAEndpoint.GroupId" }]
387 string VendorID;
388 };
389
390
391 // ==================================================================
392 // Phase1SAUsedForPhase2
393 // ==================================================================
394 [Association, Version ( "2.8.0" ), Description (
395 "Phase1SAUsedForPhase2 associates a phase 1 endpoint (such as "
396 "an IKESAEndpoint) with an IPsecSAEndpoint that was negotiated "
397 "using that phase 1 Security Association.")]
398 class CIM_Phase1SAUsedForPhase2 : CIM_Dependency {
399
400 karl 1.1 [Override ( "Antecedent" ), Max ( 1 ), Description (
401 "Phase 1 SAEndpoint that protected the negotiation of the "
402 "phase 2 Security Association. An example of a phase 1 "
403 "endpoint is an IKESAEndpoint.")]
404 CIM_SecurityAssociationEndpoint REF Antecedent;
405
406 [Override ( "Dependent" ), Description (
407 "The phase 2 SAEndpoint.")]
408 CIM_IPsecSAEndpoint REF Dependent;
409 };
410
411
412 // ==================================================================
413 // Security Association Transforms
414 // ==================================================================
415
416 // ==================================================================
417 // SATransform
418 // ==================================================================
419 [Abstract, Version ( "2.8.0" ), Description (
420 "SATransform is the base class for the various types of "
421 karl 1.1 "transforms that are in effect for an existing IPsecSAEndpoint, "
422 "or aggregated into phase 2 proposals used during the IPsec "
423 "negotiation process. This class is defined as a kind of "
424 "ScopedSettingData, since it describes the set of transform "
425 "properties that MUST be applied together, if negotiated. This "
426 "subclassing is different than that defined in IETF's IPSP "
427 "Policy draft - where it is subclassed from Policy. The "
428 "definition as SettingData is more consistent with the "
429 "application of the properties as a set, to the negotiated "
430 "Security Association. \n"
431 "\n"
432 "Note that an instance of this class is 'scoped' or contained "
433 "by a System (either a ComputerSystem or AdminDomain), rather "
434 "than by a SecurityAssociationEndpoint. This is indicated by "
435 "instantiating the ScopedSetting association, and is necessary "
436 "since the transform data is used in IPsec negotiation policies "
437 "(also scoped by Systems) before ever being associated with a "
438 "SecurityAssociationEndpoint. The latter semantics (i.e., that "
439 "'this' transform is negotiated for 'this' Security "
440 "Association) is conveyed via a subclass of ElementSettingData, "
441 "TransformOfSecurityAssociation."),
442 karl 1.1 MappingStrings { "IPSP Model.IETF|SATransform" }]
443 class CIM_SATransform : CIM_ScopedSettingData {
444
445 [Override ( "ElementName" ),
446 MappingStrings { "IPSP Model.IETF|SATransform.CommonName" }]
447 string ElementName;
448
449 [Description (
450 "MaxLifetimeSeconds specifies the maximum time that the "
451 "Security Association should be considered valid after it "
452 "has been created. A value of 0, the default, indicates that "
453 "8 hours should be used. A non-zero value indicates the "
454 "maximum lifetime in seconds."),
455 Units ( "Seconds" ),
456 MappingStrings { "IPSP "
457 "Model.IETF|SATransform.MaxLifetimeSeconds" }]
458 uint64 MaxLifetimeSeconds = 0;
459
460 [Description (
461 "MaxLifetimeKilobytes specifies the maximum kilobyte "
462 "lifetime for a Security Association. Different lifetimes "
463 karl 1.1 "are used, depending on the strength of the encryption "
464 "algorithm. A value of 0, the default, indicates that no "
465 "maximum should be defined. A non-zero value specifies the "
466 "desired kilobyte lifetime."),
467 Units ( "KiloBytes" ),
468 MappingStrings { "IPSP "
469 "Model.IETF|SATransform.MaxLifetimeKilobytes" }]
470 uint64 MaxLifetimeKilobytes = 0;
471
472 [Description (
473 "VendorID identifies vendor-defined transforms. If this "
474 "field is empty (the default), then this is a standard "
475 "transform."),
476 MappingStrings { "IPSP Model.IETF|SATransform.VendorID" }]
477 string VendorID = "";
478 };
479
480
481 // ==================================================================
482 // TransformOfSecurityAssociation
483 // ==================================================================
484 karl 1.1 [Association, Version ( "2.8.0" ), Description (
485 "TransformOfSecurityAssociation maps a SecurityAssociation "
486 "Endpoint with the transform that it uses. For security, no "
487 "keying material of the SA is exposed.")]
488 class CIM_TransformOfSecurityAssociation : CIM_ElementSettingData {
489
490 [Override ( "SettingData" ), Min ( 1 ), Max ( 1 ), Description (
491 "Transform of the IPsecSAEndpoint.")]
492 CIM_SATransform REF SettingData;
493
494 [Override ( "ManagedElement" ), Description (
495 "The IPsecSAEndpoint that uses the transform.")]
496 CIM_IPsecSAEndpoint REF ManagedElement;
497 };
498
499
500 // ==================================================================
501 // AHTransform
502 // ==================================================================
503 [Version ( "2.8.0" ), Description (
504 "AHTransform defines the parameters used for a phase 2 AH "
505 karl 1.1 "(Authentication Header) Security Association."),
506 MappingStrings { "IPSP Model.IETF|AHTransform" }]
507 class CIM_AHTransform : CIM_SATransform {
508
509 [Description (
510 "AHTransformId is an enumeration that specifies the hash "
511 "algorithm to be used. The list of values was generated from "
512 "RFC2407, Section 4.4.3."),
513 ValueMap { "1", "2", "3", "4" },
514 Values { "Other", "MD5", "SHA-1", "DES" },
515 MappingStrings { "IPSP Model.IETF|AHTransform.AHTransformID",
516 "RFC2407.IETF|Section 4.4.3" },
517 ModelCorrespondence { "CIM_AHTransform.OtherAHTransformId" }]
518 uint16 AHTransformId;
519
520 [Description (
521 "Description of the hash algorithm when the value 1 "
522 "(\"Other\") is specified for the property, AHTransformId."),
523 ModelCorrespondence { "CIM_AHTransform.AHTransformId" }]
524 string OtherAHTransformId;
525
526 karl 1.1 [Description (
527 "UseReplayPrevention causes the local peer to enable replay "
528 "prevention detection. This can be accomplished by using a "
529 "sequence number when sending a packet or checking the "
530 "sequence number upon receipt of a packet."),
531 MappingStrings { "IPSP "
532 "Model.IETF|AHTransform.UseReplayPrevention" }]
533 boolean UseReplayPrevention;
534
535 [Description (
536 "ReplayPreventionWindowsSize specifies, in bits, the length "
537 "of the sliding window used by the replay prevention "
538 "mechanism. The value of this property is meaningless if "
539 "UseReplayPrevention is false. The window size MUST be a "
540 "power of 2."),
541 Units ( "Bits" ),
542 MappingStrings { "IPSP "
543 "Model.IETF|AHTransform.ReplayPreventionWindowSize" }]
544 uint32 ReplayPreventionWindowSize;
545 };
546
547 karl 1.1
548 // ==================================================================
549 // ESPTransform
550 // ==================================================================
551 [Version ( "2.8.0" ), Description (
552 "ESPTransform defines the parameters used for a phase 2 ESP "
553 "(Encapsulating Security Protocol) Security Association."),
554 MappingStrings { "IPSP Model.IETF|ESPTransform" }]
555 class CIM_ESPTransform : CIM_SATransform {
556
557 [Description (
558 "IntegrityTransformId is an enumeration that specifies the "
559 "ESP integrity algorithm to be used. The list of values is "
560 "generated from the enumeration defined in RFC2407, Section "
561 "4.5. Note that the enumeration is different than the RFC "
562 "list, since the values of Other and None are taken into "
563 "account. Also, note that 2 (\"None\") is used when ESP is "
564 "negotiated without authentication."),
565 ValueMap { "1", "2", "3", "4", "5", "6", "7..61439",
566 "61440..65535" },
567 Values { "Other", "None", "MD5", "SHA-1", "DES", "KPDK",
568 karl 1.1 "DMTF/IANA Reserved", "Vendor Reserved" },
569 MappingStrings { "IPSP "
570 "Model.IETF|ESPTransform.IntegrityTransformId",
571 "RFC2407.IETF|Section 4.5" },
572 ModelCorrespondence {
573 "CIM_ESPTransform.OtherIntegrityTransformId" }]
574 uint16 IntegrityTransformId;
575
576 [Description (
577 "Description of the integrity algorithm when the value 1 "
578 "(\"Other\") is specified for the property, "
579 "IntegrityTransformId."),
580 ModelCorrespondence { "CIM_ESPTransform.IntegrityTransformId" }]
581 string OtherIntegrityTransformId;
582
583 [Description (
584 "CipherTransformId is an enumeration that specifies the ESP "
585 "encrypion algorithm to be used. The list of values is "
586 "defined in RFC2407, Section 4.4.4, where the RFC's NULL "
587 "value maps to 2-\"None\". Note that the enumeration is "
588 "different than the RFC list, since 'Other' is added to the "
589 karl 1.1 "enumeration."),
590 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
591 "11", "12" },
592 Values { "Other", "None", "DES_IV64", "DES", "3DES", "RC5",
593 "IDEA", "CAST", "Blowfish", "3-IDEA", "DES_IV32", "RC4" },
594 MappingStrings { "IPSP "
595 "Model.IETF|ESPTransform.CipherTransformId",
596 "RFC2407.IETF|Section 4.4.4" },
597 ModelCorrespondence { "CIM_ESPTransform.OtherCipherTransformId"
598 }]
599 uint16 CipherTransformId;
600
601 [Description (
602 "Description of the encryption algorithm when the value 1 "
603 "(\"Other\") is specified for the property, "
604 "CipherTransformId."),
605 ModelCorrespondence { "CIM_ESPTransform.CipherTransformId" }]
606 string OtherCipherTransformId;
607
608 [Description (
609 "CipherKeyLength specifies, in bits, the key length for the "
610 karl 1.1 "encryption algorithm. For algorithms with fixed key "
611 "lengths, this value is ignored."),
612 Units ( "Bits" ),
613 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyLength"
614 }]
615 uint16 CipherKeyLength;
616
617 [Description (
618 "CipherKeyRounds specifies the key rounds for the encryption "
619 "algorithm. For algorithms with a fixed number of key "
620 "rounds, this value is ignored. Currently, key rounds are "
621 "NOT defined for any ESP encryption algorithms."),
622 MappingStrings { "IPSP Model.IETF|ESPTransform.CipherKeyRounds"
623 }]
624 uint16 CipherKeyRounds;
625
626 [Description (
627 "UseReplayPrevention causes the local peer to enable replay "
628 "prevention detection. This can be accomplished by using a "
629 "sequence number when sending a packet or checking the "
630 "sequence number upon receipt of a packet."),
631 karl 1.1 MappingStrings { "IPSP "
632 "Model.IETF|ESPTransform.UseReplayPrevention" }]
633 boolean UseReplayPrevention;
634
635 [Description (
636 "ReplayPreventionWindowsSize specifies, in bits, the length "
637 "of the sliding window used by the replay prevention "
638 "mechanism. The value of this property is meaningless if "
639 "UseReplayPrevention is false. The window size MUST be a "
640 "power of 2."),
641 Units ( "Bits" ),
642 MappingStrings { "IPSP "
643 "Model.IETF|ESPTransform.ReplayPreventionWindowSize" }]
644 uint32 ReplayPreventionWindowSize;
645 };
646
647
648 // ==================================================================
649 // IPCOMPTransform
650 // ==================================================================
651 [Version ( "2.8.0" ), Description (
652 karl 1.1 "The IPCOMPTransform specifies the IP compression algorithm to "
653 "use for payload of the Security Association."),
654 MappingStrings { "IPSP Model.IETF|IPCOMPTransform" }]
655 class CIM_IPCOMPTransform : CIM_SATransform {
656
657 [Description (
658 "The Algorithm is an enumeration that designates the IPCOMP "
659 "compression algorithm to use. Its values are generated from "
660 "RFC2407, Section 4.4.5. Note that the values are modified "
661 "from the RFC, since 'Other' must be taken into account."),
662 ValueMap { "1", "2", "3", "4" },
663 Values { "Other", "Vendor Algorithm/OUI", "DEFLATE", "LZS" },
664 MappingStrings { "IPSP Model.IETF|IPCOMPTransform.Algorithm",
665 "RFC2407.IETF|Section 4.4.5" },
666 ModelCorrespondence { "CIM_IPCOMPTransform.PrivateAlgorithm",
667 "CIM_IPCOMPTransform.OtherAlgorithm" }]
668 uint16 Algorithm;
669
670 [Description (
671 "Description of the compression algorithm when the value 1 "
672 "(\"Other\") is specified for the property, Algorithm."),
673 karl 1.1 ModelCorrespondence { "CIM_IPCOMPTransform.Algorithm" }]
674 string OtherAlgorithm;
675
676 [Description (
677 "A private compression algorithm, used when the Algorithm "
678 "property is set to 2, \"Vendor Algorithm/OUI\"."),
679 MappingStrings { "IPSP "
680 "Model.IETF|IPCOMPTransform.PrivateAlgorithm" },
681 ModelCorrespondence { "CIM_IPCOMPTransform.Algorithm" }]
682 uint32 PrivateAlgorithm;
683
684 [Description (
685 "DictionarySize is an optional field that specifies the log2 "
686 "maximum size of the dictionary for the compression "
687 "algorithm. For dictionaries that have a fixed size, this "
688 "value is ignored."),
689 MappingStrings { "IPSP "
690 "Model.IETF|IPCOMPTransform.DictionarySize" }]
691 uint16 DictionarySize;
692 };
693
694 karl 1.1
695 // ===================================================================
696 // end of file
697 // ===================================================================
|
Return to
Network_IPsec.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIMPrelim29