1 a.dunfey 1.1 // ===================================================================
2 // Title: IPsec Policy
3 // $State: Preliminary $
4 // $Date: 2005/01/05 00:54:00 $
5 // $Source: /home/dmtf2/dotorg/var/cvs/repositories/dev/Schema/MOF/CIM_IPsecPolicy.mof,v $
6 // $Revision: 1.6 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2005 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 a.dunfey 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 a.dunfey 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: This file defines the classes to negotiate
47 // an IPsec security association.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ==================================================================
53 // This model was originally introduced in CIM V2.6 Preliminary and
54 // was not promoted to Final status. The following CR updates the
55 // V2.6 MOF and better aligns it with the IETF I-D from the IPSP
56 // Working Group.
57 //
58 // Change Log for v2.8 Preliminary
59 // CR1026 - Modifications to the V2.6 MOF for IPsec management
60 // CR1105 - Generalize the SACondition class to be FilterCondition
61 // & move the classes to the Policy model.
62 // Generalize SAConditionInRule to be PacketConditionInSARule.
63 // Change Log for v2.8 Final
64 a.dunfey 1.1 // DMTFCR1212 - remove Experimental
65 //
66 // ===================================================================
67
68 #pragma Locale ("en_US")
69
70 // ==================================================================
71 // Compile prerequisite: Core, Policy and Network MOFs
72 // ==================================================================
73
74
75 // ==================================================================
76 // IPsec Negotiation Policy Rules
77 // ==================================================================
78
79 // ==================================================================
80 // SARule
81 // ==================================================================
82 [Version ( "2.8.0" ), Description (
83 "SARule is a base class for defining IKE and IPsec Rules. "
84 "Although concrete (because it subclasses from a concrete "
85 a.dunfey 1.1 "class), it is not intended to be instantiated. It defines a "
86 "common connection point for associating conditions and actions "
87 "for both types of rules. Note that each valid PolicyGroup "
88 "containing SARules MUST use a unique priority number for the "
89 "Rule in the aggregation, PolicySetComponent.Priority."),
90 MappingStrings { "IPSP Policy Model.IETF|SARule" }]
91 class CIM_SARule : CIM_PolicyRule {
92
93 [Description (
94 "LimitNegotiation is used as part of processing either a key "
95 "exchange or IPsec Rule. Before proceeding with either a "
96 "phase 1 or a phase 2 negotiation, this property is checked "
97 "to determine if the negotiation role of the Rule matches "
98 "that defined for the negotiation being undertaken (e.g., "
99 "Initiator, Responder, or Both). If this check fails, then "
100 "the negotiation is stopped. Note that this only applies to "
101 "new negotiations and has no effect on either renegotiation "
102 "or refresh operations with peers for which an established "
103 "Security Association already exists."),
104 ValueMap { "1", "2", "3" },
105 Values { "Initiator-Only", "Responder-Only", "Either" },
106 a.dunfey 1.1 MappingStrings { "IPSP Policy "
107 "Model.IETF|SARule.LimitNegotiation" }]
108 uint16 LimitNegotiation;
109 };
110
111
112 // ==================================================================
113 // RuleThatGeneratedSA
114 // ==================================================================
115 [Association, Version ( "2.8.0" ), Description (
116 "RuleThatGeneratedSA associates a SecurityAssociationEndpoint "
117 "with the SARule used to generate (or negotiate) it.")]
118 class CIM_RuleThatGeneratedSA : CIM_Dependency {
119
120 [Override ( "Antecedent" ), Min ( 0 ), Max ( 1 ), Description (
121 "SARule that led to the Security Association.")]
122 CIM_SARule REF Antecedent;
123
124 [Override ( "Dependent" ), Description (
125 "SecurityAssociationEndpoint created using the rule.")]
126 CIM_SecurityAssociationEndpoint REF Dependent;
127 a.dunfey 1.1 };
128
129
130 // ==================================================================
131 // IKERule
132 // ==================================================================
133 [Version ( "2.8.0" ), Description (
134 "IKERule contains the Conditions and Actions for IKE phase 1 "
135 "negotiations or to specify static actions such as Discard."),
136 MappingStrings { "IPSP Policy Model.IETF|IKERule" }]
137 class CIM_IKERule : CIM_SARule {
138
139 [Description (
140 "An IP endpoint may have multiple identities for use in "
141 "different situations. The IdentityContext property "
142 "specifies the specific context/identities which pertain to "
143 "this Rule. The property's function is similar to that of "
144 "PolicyRoles. A context may be a VPN name or other "
145 "identifier that selects the appropriate identity. \n"
146 "\n"
147 "IdentityContext is an array of strings. The multiple values "
148 a.dunfey 1.1 "in the array are logically ORed together in matching an "
149 "IPNetworkIdentity's IdentityContext. Each value in the "
150 "array may be a composition of multiple context names. When "
151 "an array value is a composition, the individual values are "
152 "logically ANDed together for evaluation purposes. The "
153 "syntax is: \n"
154 "<ContextName>[&&<ContextName>]* \n"
155 "where the individual context names appear in alphabetical "
156 "order (according to the collating sequence for UCS-2). So, "
157 "for example, the values 'CompanyXVPN', "
158 "'CompanyYVPN&&TopSecret', 'CompanyZVPN&&Confidential' are "
159 "possible contexts for a Rule. They are matched against an "
160 "IPNetworkIdentity's IdentityContext. Any of the values may "
161 "indicate a match and select an Identity, since the values "
162 "in the array are logically ORed."),
163 MappingStrings { "IPSP Policy "
164 "Model.IETF|IKERule.IdentityContexts" },
165 ModelCorrespondence { "CIM_IdentityContext" }]
166 string IdentityContexts[];
167 };
168
169 a.dunfey 1.1
170 // ==================================================================
171 // IPsecRule
172 // ==================================================================
173 [Version ( "2.8.0" ), Description (
174 "IPsecRule contains the Conditions and Actions for phase 2 "
175 "negotiations or to specify static actions such as Discard."),
176 MappingStrings { "IPSP Policy Model.IETF|IPsecRule" }]
177 class CIM_IPsecRule : CIM_SARule {
178 };
179
180
181 // ==================================================================
182 // IPsecPolicyForSystem
183 // ==================================================================
184 [Association, Version ( "2.8.0" ), Description (
185 "IPsecPolicyForSystem associates a PolicyGroup with a specific "
186 "system (e.g., a host or a network device) - indicating that "
187 "this is the 'default' IPsec policy for that system. The "
188 "referenced PolicyGroup would be used for any "
189 "IPProtocolEndpoint's IPsec negotiations, UNLESS the "
190 a.dunfey 1.1 "IPsecPolicyForEndpoint association is defined. "
191 "IPsecPolicyForEndpoint indicates a more specific PolicyGroup "
192 "for IPsec negotiations for the endpoint."),
193 MappingStrings { "IPSP Policy Model.IETF|IPsecPolicyForSystem" }]
194 class CIM_IPsecPolicyForSystem : CIM_Dependency {
195
196 [Override ( "Antecedent" ), Description (
197 "A System to which the PolicyGroup applies."),
198 MappingStrings { "IPSP Policy "
199 "Model.IETF|IPsecPolicyForSystem.Antecedent" }]
200 CIM_System REF Antecedent;
201
202 [Override ( "Dependent" ), Min ( 0 ), Max ( 1 ), Description (
203 "The PolicyGroup that defines the 'default' IPsec "
204 "negotiation policy for the System."),
205 MappingStrings { "IPSP Policy "
206 "Model.IETF|IPsecPolicyForSystem.Dependent" }]
207 CIM_PolicyGroup REF Dependent;
208 };
209
210
211 a.dunfey 1.1 // ==================================================================
212 // IPsecPolicyForEndpoint
213 // ==================================================================
214 [Association, Version ( "2.8.0" ), Description (
215 "IPsecPolicyForEndpoint associates a PolicyGroup with a "
216 "specific IP endpoint. This association's policies take "
217 "priority over any PolicyGroup defined generically for the "
218 "hosting system. The latter is defined using the "
219 "IPsecPolicyForSystem association."),
220 MappingStrings { "IPSP Policy Model.IETF|IPsecPolicyForEndpoint" }]
221 class CIM_IPsecPolicyForEndpoint : CIM_Dependency {
222
223 [Override ( "Antecedent" ), Description (
224 "The IPProtocolEndpoint that identifies an interface to "
225 "which the PolicyGroup applies."),
226 MappingStrings { "IPSP Policy "
227 "Model.IETF|IPsecPolicyForEndpoint.Antecedent" }]
228 CIM_IPProtocolEndpoint REF Antecedent;
229
230 [Override ( "Dependent" ), Min ( 0 ), Max ( 1 ), Description (
231 "The PolicyGroup that defines the IPsec negotiation policy "
232 a.dunfey 1.1 "for the Endpoint."),
233 MappingStrings { "IPSP Policy "
234 "Model.IETF|IPsecPolicyForEndpoint.Dependent" }]
235 CIM_PolicyGroup REF Dependent;
236 };
237
238
239 // ==================================================================
240 // IPsec Negotiation Policy Conditions
241 // ==================================================================
242
243 // ==================================================================
244 // PacketConditionInSARule
245 // ==================================================================
246 [Association, Aggregation, Version ( "2.8.0" ), Description (
247 "PacketConditionInSARule aggregates an SARule with at least one "
248 "instance of PacketFilterCondition. This is a specialization of "
249 "the PolicyConditionInPolicyRule association."),
250 MappingStrings { "IPSP Policy Model.IETF|SAConditionInRule" }]
251 class CIM_PacketConditionInSARule : CIM_PolicyConditionInPolicyRule {
252
253 a.dunfey 1.1 [Aggregate, Override ( "GroupComponent" ), Description (
254 "An SARule subclass of PolicyRule."),
255 MappingStrings { "IPSP Policy "
256 "Model.IETF|SAConditionInRule.GroupComponent" }]
257 CIM_SARule REF GroupComponent;
258
259 [Override ( "PartComponent" ), Min ( 1 ), Description (
260 "An SACondition that is required for the SARule."),
261 MappingStrings { "IPSP Policy "
262 "Model.IETF|SAConditionInRule.PartComponent" }]
263 CIM_PacketFilterCondition REF PartComponent;
264 };
265
266
267 // ==================================================================
268 // IPsec Negotiation Policy Actions - Static and Negotiated
269 // ==================================================================
270
271 // ==================================================================
272 // SAAction
273 // ==================================================================
274 a.dunfey 1.1 [Abstract, Version ( "2.8.0" ), Description (
275 "SAAction is the base class for the various types of key "
276 "exchange or IPsec actions. It is abstract and used to "
277 "categorize the different types of actions of SARules."),
278 MappingStrings { "IPSP Policy Model.IETF|SAAction" }]
279 class CIM_SAAction : CIM_PolicyAction {
280
281 [Description (
282 "DoPacketLogging causes a log message to be generated when "
283 "the action is applied to a packet."),
284 MappingStrings { "IPSP Policy "
285 "Model.IETF|SAAction.DoPacketLogging" },
286 ModelCorrespondence {
287 "CIM_SecurityAssociationEndpoint.PacketLoggingActive" }]
288 boolean DoPacketLogging;
289 };
290
291
292 // ==================================================================
293 // SAStaticAction
294 // ==================================================================
295 a.dunfey 1.1 [Version ( "2.8.0" ), Description (
296 "SAStaticAction is the base class for both key exchange as well "
297 "as IPsec actions that require no negotiation. It is a concrete "
298 "class that can be aggregated with other subclasses of "
299 "PolicyAction (such as NetworkPacketAction) into a PolicyRule, "
300 "to describe how packets are handled throughout the lifetime of "
301 "the Security Association."),
302 MappingStrings { "IPSP Policy Model.IETF|SAStaticAction" }]
303 class CIM_SAStaticAction : CIM_SAAction {
304
305 [Description (
306 "LifetimeSeconds specifies how long the SA created from this "
307 "action should be used/exist. A value of 0 means an infinite "
308 "lifetime. A non-zero value is typically used in conjunction "
309 "with alternate SAActions performed when there is a "
310 "negotiation failure of some sort. \n"
311 "\n"
312 "Note: If the referenced SAStaticAction object IS-A "
313 "PreconfiguredSAAction (that is associated to several "
314 "SATransforms), then the actual lifetime of the Security "
315 "Association will be the lesser of the value of this "
316 a.dunfey 1.1 "LifetimeSeconds property and of the value of the "
317 "MaxLifetimeSeconds property of the associated SATransform."),
318 Units ( "Seconds" ),
319 MappingStrings { "IPSP Policy "
320 "Model.IETF|SAStaticAction.LifetimeSeconds" },
321 ModelCorrespondence {
322 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
323 uint64 LifetimeSeconds;
324 };
325
326
327 // ==================================================================
328 // PreconfiguredSAAction
329 // ==================================================================
330 [Version ( "2.8.0" ), Description (
331 "Subclasses of PreconfiguredSAAction are used to create SAs "
332 "using preconfigured, hard-wired algorithms and keys. No "
333 "negotiation is necessary. Note that this class is defined as "
334 "concrete, since its superclass is also concrete. However, it "
335 "should not be directly instantiated, but one of its subclasses "
336 "used instead. \n"
337 a.dunfey 1.1 "\n"
338 "Also note that: \n"
339 "- The SPI for a preconfigured SA action is contained in the "
340 "association, TransformOfPreconfiguredAction. \n"
341 "- The session key (if applicable) is contained in an instance "
342 "of SharedSecret. For an instance of the SharedSecret class: "
343 "The session key is stored in the Secret property; the property "
344 "protocol contains one of the values, \"ESP-encrypt\", "
345 "\"ESP-auth\" or \"AH\"; and, the class' property algorithm "
346 "contains the algorithm used to protect the secret. (The latter "
347 "can be \"PLAINTEXT\" if the IPsec entity has no secret "
348 "storage.) The value of the class' RemoteID property is the "
349 "concatenation of the remote IPsec peer IP address in dotted "
350 "decimal, of the character \"/\", of \"IN\" (or respectively "
351 "\"OUT\") for inbound/outbound SAs, of the character \"/\" and "
352 "of the hexadecimal representation of the SPI."),
353 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction" }]
354 class CIM_PreconfiguredSAAction : CIM_SAStaticAction {
355
356 [Description (
357 "LifetimeKilobytes defines a traffic limit in kilobytes that "
358 a.dunfey 1.1 "can be consumed before the SA is deleted. A value of zero "
359 "(the default) indicates that there is no lifetime "
360 "associated with this action (i.e., infinite lifetime). A "
361 "non-zero value is used to indicate that after this number "
362 "of kilobytes has been consumed the SA must be deleted. \n"
363 "\n"
364 "Note that the actual lifetime of the preconfigured SA will "
365 "be the lesser of the value of this LifetimeKilobytes "
366 "property and the value of the MaxLifetimeKilobytes property "
367 "of the associated SATransform. Also note that some SA "
368 "negotiation protocols (such as IKE) can negotiate the "
369 "lifetime as an arbitrary length field, it is assumed that a "
370 "64-bit integer will be sufficient."),
371 Units ( "KiloBytes" ),
372 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredSAAction."
373 "LifetimeKilobytes" },
374 ModelCorrespondence {
375 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
376 uint64 LifetimeKilobytes;
377 };
378
379 a.dunfey 1.1
380 // ==================================================================
381 // TransformOfPreconfiguredAction
382 // ==================================================================
383 [Association, Version ( "2.8.0" ), Description (
384 "TransformOfPreconfiguredAction defines the transforms used by "
385 "a preconfigured IPsec action. Two, four or six SATransforms "
386 "can be associated to a PreconfiguredSAAction (applied to the "
387 "inbound and outbound traffic, as indicated by the Direction "
388 "property of this association). The order of application of the "
389 "SATransforms is implicitly defined in RFC2401."),
390 MappingStrings { "IPSP Policy "
391 "Model.IETF|TransformOfPreconfiguredAction" }]
392 class CIM_TransformOfPreconfiguredAction : CIM_Dependency {
393
394 [Override ( "Antecedent" ), Min ( 2 ), Max ( 6 ), Description (
395 "This defines the type of transform used by the referenced "
396 "PreconfiguredSAAction. A minimum of 2 and maximum of 6 "
397 "transforms can be defined, for the inbound/outbound "
398 "directions, representing AH, ESP, and/or an IPCOMP "
399 "transforms."),
400 a.dunfey 1.1 MappingStrings { "IPSP Policy Model.IETF|"
401 "TransformOfPreconfiguredAction.Antecedent" }]
402 CIM_SATransform REF Antecedent;
403
404 [Override ( "Dependent" ), Description (
405 "This defines the PreconfiguredSAAction which uses the AH, "
406 "ESP, and/or IPCOMP transforms."),
407 MappingStrings { "IPSP Policy Model.IETF|"
408 "TransformOfPreconfiguredAction.Dependent" }]
409 CIM_PreconfiguredSAAction REF Dependent;
410
411 [Description (
412 "The SPI property specifies the security parameter index to "
413 "be used by the pre-configured action for the associated "
414 "transform."),
415 MappingStrings { "IPSP Policy Model.IETF|"
416 "TransformOfPreconfiguredAction.SPI" },
417 ModelCorrespondence { "CIM_IPsecSAEndpoint.SPI" }]
418 uint32 SPI;
419
420 [Description (
421 a.dunfey 1.1 "InboundDirection specifies whether the SA applies to "
422 "inbound (TRUE) or outbound (FALSE) traffic."),
423 MappingStrings { "IPSP Policy Model.IETF|"
424 "TransformOfPreconfiguredAction.Direction" },
425 ModelCorrespondence { "CIM_IPsecSAEndpoint.InboundDirection" }]
426 boolean InboundDirection;
427 };
428
429
430 // ==================================================================
431 // PreconfiguredTransportAction
432 // ==================================================================
433 [Version ( "2.8.0" ), Description (
434 "PreconfiguredTransportAction is used to create transport-mode "
435 "SAs using preconfigured, hard-wired algorithms and keys. Note "
436 "that the SPI for a preconfigured SA action is contained in the "
437 "association, TransformOfPreconfiguredAction."),
438 MappingStrings { "IPSP Policy "
439 "Model.IETF|PreconfiguredTransportAction" }]
440 class CIM_PreconfiguredTransportAction : CIM_PreconfiguredSAAction {
441 };
442 a.dunfey 1.1
443
444 // ==================================================================
445 // PreconfiguredTunnelAction
446 // ==================================================================
447 [Version ( "2.8.0" ), Description (
448 "PreconfiguredTunnelAction is used to create tunnel-mode SAs "
449 "using preconfigured, hard-wired algorithms and keys. Note that "
450 "the SPI for a preconfigured SA action is contained in the "
451 "association, TransformOfPreconfiguredAction."),
452 MappingStrings { "IPSP Policy Model.IETF|PreconfiguredTunnelAction"
453 }]
454 class CIM_PreconfiguredTunnelAction : CIM_PreconfiguredSAAction {
455
456 [Description (
457 "DFHandling controls how the Don't Fragment bit is managed "
458 "by the tunnel."),
459 ValueMap { "2", "3", "4" },
460 Values { "Copy from Internal to External IP Header",
461 "Set DF Bit in External Header to 1",
462 "Set DF Bit in External Header to 0" },
463 a.dunfey 1.1 MappingStrings { "IPSP Policy Model.IETF|"
464 "PreconfiguredTunnelAction.DFHandling" },
465 ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }]
466 uint16 DFHandling;
467 };
468
469
470 // ==================================================================
471 // PeerGatewayForPreconfiguredTunnel
472 // ==================================================================
473 [Association, Version ( "2.8.0" ), Description (
474 "PeerGatewayForPreconfiguredTunnel identifies at most one "
475 "security gateway be used in constructing a preconfigured "
476 "tunnel. A security gateway is simply a particular instance of "
477 "RemoteServiceAccessPoint."),
478 MappingStrings { "IPSP Policy "
479 "Model.IETF|PeerGatewayForPreconfiguredTunnel" }]
480 class CIM_PeerGatewayForPreconfiguredTunnel : CIM_Dependency {
481
482 [Override ( "Antecedent" ), Max ( 1 ), Description (
483 "Security gateway for the preconfigured SA."),
484 a.dunfey 1.1 MappingStrings { "IPSP Policy Model.IETF|"
485 "PeerGatewayForPreconfiguredTunnel.Antecedent" }]
486 CIM_RemoteServiceAccessPoint REF Antecedent;
487
488 [Override ( "Dependent" ), Description (
489 "The PreconfiguredTunnelAction that requires a security "
490 "gateway."),
491 MappingStrings { "IPSP Policy Model.IETF|"
492 "PeerGatewayForPreconfiguredTunnel.Dependent" }]
493 CIM_PreconfiguredTunnelAction REF Dependent;
494 };
495
496
497 // ==================================================================
498 // SANegotiationAction
499 // ==================================================================
500 [Abstract, Version ( "2.8.0" ), Description (
501 "SANegotiationAction is the base class for negotiated SAs. It "
502 "is abstract, specifying the common parameters that control the "
503 "IPsec phase 1 and phase 2 negotiations."),
504 MappingStrings { "IPSP Policy Model.IETF|SANegotiationAction",
505 a.dunfey 1.1 "IPSP Policy Model.IETF|IKENegotiationAction" }]
506 class CIM_SANegotiationAction : CIM_SAAction {
507
508 [Description (
509 "MinLifetimeSeconds prevents certain denial of service "
510 "attacks where the peer requests an arbitrarily low lifetime "
511 "value, causing renegotiations with expensive Diffie-Hellman "
512 "operations. The property specifies the minimum lifetime, in "
513 "seconds, that will be accepted from the peer. A value of "
514 "zero (the default) indicates that there is no minimum "
515 "value. A non-zero value specifies the minimum seconds "
516 "lifetime."),
517 Units ( "Seconds" ),
518 MappingStrings { "IPSP Policy Model.IETF|"
519 "IKENegotiationAction.MinLifetimeSeconds" },
520 ModelCorrespondence {
521 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
522 uint64 MinLifetimeSeconds = 0;
523
524 [Description (
525 "IdleDurationSeconds is the time an SA can remain idle "
526 a.dunfey 1.1 "(i.e., no traffic protected using the security association) "
527 "before it is automatically deleted. The default (zero) "
528 "value indicates that there is no idle duration timer and "
529 "that the SA is deleted based upon the SA seconds and "
530 "kilobyte lifetimes. Any non-zero value indicates the number "
531 "of seconds that the SA may remain unused."),
532 Units ( "Seconds" ),
533 MappingStrings { "IPSP Policy Model.IETF|"
534 "IKENegotiationAction.IdleDurationSeconds" },
535 ModelCorrespondence {
536 "CIM_SecurityAssociationEndpoint.IdleDurationSeconds" }]
537 uint64 IdleDurationSeconds = 0;
538
539 [Description (
540 "MinLifetimeKilobytes prevents certain denial of service "
541 "attacks where the peer requests an arbitrarily low lifetime "
542 "value, causing renegotiations with expensive Diffie-Hellman "
543 "operations. The property specifies the minimum lifetime, in "
544 "kilobytes, that will be accepted from the peer. A value of "
545 "zero (the default) indicates that there is no minimum "
546 "value. A non-zero value specifies the minimum kilobytes "
547 a.dunfey 1.1 "lifetime. Note that there has been considerable debate "
548 "regarding the usefulness of applying kilobyte lifetimes to "
549 "phase 1 security associations, so it is likely that this "
550 "property will only apply to the subclass, IPsecAction."),
551 Units ( "KiloBytes" ),
552 MappingStrings { "IPSP Policy Model.IETF|"
553 "IKENegotiationAction.MinLifetimeKilobytes" },
554 ModelCorrespondence {
555 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
556 uint64 MinLifetimeKilobytes = 0;
557 };
558
559
560 // ==================================================================
561 // IKEAction
562 // ==================================================================
563 [Version ( "2.8.0" ), Description (
564 "IKEAction specifies the parameters to use for an IPsec IKE "
565 "phase 1 negotiation."),
566 MappingStrings { "IPSP Policy Model.IETF|IKEAction" }]
567 class CIM_IKEAction : CIM_SANegotiationAction {
568 a.dunfey 1.1
569 [Description (
570 "The ExchangeMode designates the mode IKE should use for its "
571 "key negotiations."),
572 ValueMap { "2", "3", "4" },
573 Values { "Base", "Main", "Aggressive" },
574 MappingStrings { "IPSP Policy "
575 "Model.IETF|IKEAction.ExchangeMode" }]
576 uint16 ExchangeMode;
577
578 [Description (
579 "UseIKEIdentityType specifies what network identity type "
580 "should be used when negotiating with the peer. It is used "
581 "in conjunction with the available IPNetworkIdentity "
582 "instances, that are associated with an IPProtocolEndpoint."),
583 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
584 "11", "12", "..", "0x8000.." },
585 Values { "Other", "IPV4 Address", "FQDN", "User FQDN",
586 "IPV4 Subnet Address", "IPV6 Address", "IPV6 Subnet Address",
587 "IPV4 Address Range", "IPV6 Address Range", "DER ASN1 DN",
588 "DER ASN1 GN", "KEY ID", "DMTF Reserved", "Vendor Reserved" },
589 a.dunfey 1.1 MappingStrings { "IPSP Policy "
590 "Model.IETF|IKEAction.UseIKEIdentityType",
591 "RFC2407.IETF|Section 4.6.2.1" },
592 ModelCorrespondence { "CIM_IPNetworkIdentity.IdentityType" }]
593 uint16 UseIKEIdentityType;
594
595 [Description (
596 "VendorID specifies the value to be used in the Vendor ID "
597 "payload. An empty string (the default) means that the "
598 "Vendor ID payload will not be generated or accepted. A "
599 "non-NULL value means that a Vendor ID payload will be "
600 "generated (when acting as an initiator) or is expected "
601 "(when acting as a responder)."),
602 MappingStrings { "IPSP Policy Model.IETF|IKEAction.VendorID" }]
603 string VendorID = "";
604
605 [Description (
606 "When IKEAction.ExchangeMode is set to \"Aggressive\" (4), "
607 "this property specifies the key exchange groupID to use in "
608 "the first packets of the phase 1 negotiation. This property "
609 "is ignored unless the ExchangeMode is 'aggressive'. If the "
610 a.dunfey 1.1 "GroupID number is from the vendor- specific range "
611 "(32768-65535), the VendorID qualifies the group number. "
612 "Well-known group identifiers from RFC2412, Appendix E, are: "
613 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
614 "3='Elliptic Curve Group with 155 bit field element', Group "
615 "4='Large Elliptic Curve Group with 185 bit field element', "
616 "and Group 5='1536 bit prime'."),
617 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
618 Values { "No Group/Non-Diffie-Hellman Exchange",
619 "DH-768 bit prime", "DH-1024 bit prime",
620 "EC2N-155 bit field element", "EC2N-185 bit field element",
621 "DH-1536 bit prime", "Standard Group - Reserved",
622 "Vendor Reserved" },
623 MappingStrings { "IPSP Policy "
624 "Model.IETF|IKEAction.AggressiveModeGroupID",
625 "RFC2412.IETF|Appendix E" },
626 ModelCorrespondence { "CIM_IKEAction.VendorID" }]
627 uint16 AggressiveModeGroupID;
628 };
629
630
631 a.dunfey 1.1 // ==================================================================
632 // IPsecAction
633 // ==================================================================
634 [Version ( "2.8.0" ), Description (
635 "IPsecAction specifies the parameters to use for an IPsec phase "
636 "2 negotiation."),
637 MappingStrings { "IPSP Policy Model.IETF|IPsecAction" }]
638 class CIM_IPsecAction : CIM_SANegotiationAction {
639
640 [Description (
641 "UsePFS indicates whether perfect forward secrecy is "
642 "required when refreshing keys."),
643 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.UsePFS" },
644 ModelCorrespondence { "CIM_IPsecSAEndpoint.PFSInUse" }]
645 boolean UsePFS;
646
647 [Description (
648 "UsePhase1Group indicates that the phase 2 GroupId should be "
649 "the same as that used in the phase 1 key exchange. If "
650 "UsePFS is False, then this property is ignored. Note that a "
651 "value of False indicates that the property GroupId will "
652 a.dunfey 1.1 "contain the key exchange group to use for phase 2."),
653 MappingStrings { "IPSP Policy "
654 "Model.IETF|IPsecAction.UseIKEGroup" }]
655 boolean UsePhase1Group;
656
657 [Description (
658 "GroupId specifies the PFS group ID to use. This value is "
659 "only used if PFS is True and UsePhase1Group is False. If "
660 "the GroupID number is from the vendor-specific range "
661 "(32768-65535), the VendorID qualifies the group number. "
662 "Well-known group identifiers from RFC2412, Appendix E, are: "
663 "Group 1='768 bit prime', Group 2='1024 bit prime', Group "
664 "3='Elliptic Curve Group with 155 bit field element', Group "
665 "4='Large Elliptic Curve Group with 185 bit field element', "
666 "and Group 5='1536 bit prime'."),
667 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
668 Values { "No Group/Non-Diffie-Hellman Exchange",
669 "DH-768 bit prime", "DH-1024 bit prime",
670 "EC2N-155 bit field element", "EC2N-185 bit field element",
671 "DH-1536 bit prime", "Standard Group - Reserved",
672 "Vendor Reserved" },
673 a.dunfey 1.1 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.GroupID",
674 "RFC2412.IETF|Appendix E" },
675 ModelCorrespondence { "CIM_IPsecAction.VendorID",
676 "CIM_IKESAEndpoint.GroupID" }]
677 uint16 GroupId;
678
679 [Description (
680 "The property VendorID is used together with the property "
681 "GroupID (when it is in the vendor-specific range) to "
682 "identify the key exchange group. VendorID is ignored unless "
683 "UsePFS is true, AND UsePhase1Group is False, AND GroupID is "
684 "in the vendor-specific range (32768-65535)."),
685 MappingStrings { "IPSP Policy Model.IETF|IPsecAction.VendorID" },
686 ModelCorrespondence { "CIM_IPsecAction.GroupId",
687 "CIM_IKESAEndpoint.VendorID" }]
688 string VendorID;
689
690 [Description (
691 "The property Granularity is an enumeration that specifies "
692 "how the selector for the SA should be derived from the "
693 "traffic that triggered the negotiation. Its values are: \n"
694 a.dunfey 1.1 "1=Other; See the OtherGranularity property for more "
695 "information \n"
696 "2=Subnet; The source and destination subnet masks are used "
697 "\n3=Address; The source and destination IP addresses of the "
698 "triggering packet are used \n"
699 "4=Protocol; The source and destination IP addresses and the "
700 "IP protocol of the triggering packet are used \n"
701 "5=Port; The source and destination IP addresses, IP "
702 "protocol and the source and destination layer 4 ports of "
703 "the triggering packet are used."),
704 ValueMap { "1", "2", "3", "4", "5" },
705 Values { "Other", "Subnet", "Address", "Protocol", "Port" },
706 MappingStrings { "IPSP Policy "
707 "Model.IETF|IPsecAction.Granularity" },
708 ModelCorrespondence { "CIM_IPsecAction.OtherGranularity" }]
709 uint16 Granularity;
710
711 [Description (
712 "Description of the granularity when the value 1 (\"Other\") "
713 "is specified for the property, Granularity."),
714 ModelCorrespondence { "CIM_IPsecAction.Granularity" }]
715 a.dunfey 1.1 string OtherGranularity;
716 };
717
718
719 // ==================================================================
720 // IPsecTransportAction
721 // ==================================================================
722 [Version ( "2.8.0" ), Description (
723 "IPsecTransportAction is used to specify that a transport-mode "
724 "SA should be negotiated."),
725 MappingStrings { "IPSP Policy Model.IETF|IPsecTransportAction" }]
726 class CIM_IPsecTransportAction : CIM_IPsecAction {
727 };
728
729
730 // ==================================================================
731 // IPsecTunnelAction
732 // ==================================================================
733 [Version ( "2.8.0" ), Description (
734 "IPsecTunnelAction is used to specify that a tunnel-mode SA "
735 "should be negotiated."),
736 a.dunfey 1.1 MappingStrings { "IPSP Policy Model.IETF|IPsecTunnelAction" }]
737 class CIM_IPsecTunnelAction : CIM_IPsecAction {
738
739 [Description (
740 "DFHandling controls how the Don't Fragment bit is managed "
741 "by the tunnel."),
742 ValueMap { "2", "3", "4" },
743 Values { "Copy from Internal to External IP Header",
744 "Set DF Bit in External Header to 1",
745 "Set DF Bit in External Header to 0" },
746 MappingStrings { "IPSP Policy Model.IETF|"
747 "PreconfiguredTunnelAction.DFHandling" },
748 ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }]
749 uint16 DFHandling;
750 };
751
752
753 // ==================================================================
754 // PeerGatewayForTunnel
755 // ==================================================================
756 [Association, Version ( "2.8.0" ), Description (
757 a.dunfey 1.1 "PeerGatewayForTunnel identifies an ordered list of security "
758 "gateways to be used in negotiating and constructing a tunnel. "
759 "A security gateway is simply a particular instance of "
760 "RemoteServiceAccessPoint."),
761 MappingStrings { "IPSP Policy Model.IETF|PeerGatewayForTunnel" }]
762 class CIM_PeerGatewayForTunnel : CIM_Dependency {
763
764 [Override ( "Antecedent" ), Description (
765 "The security gateway for the SA. Note that the absense of "
766 "this association indicates that: \n"
767 "- When acting as a responder, IKE will accept phase 1 "
768 "negotiations with any other security gateway \n"
769 "- When acting as an initiator, IKE will use the destination "
770 "IP address (of the IP packets which triggered the SARule) "
771 "as the IP address of the peer IKE entity."),
772 MappingStrings { "IPSP Policy "
773 "Model.IETF|PeerGatewayForTunnel.Antecedent" }]
774 CIM_RemoteServiceAccessPoint REF Antecedent;
775
776 [Override ( "Dependent" ), Description (
777 "The IPsecTunnelAction that requires a security gateway."),
778 a.dunfey 1.1 MappingStrings { "IPSP Policy "
779 "Model.IETF|PeerGatewayForTunnel.Dependent" }]
780 CIM_IPsecTunnelAction REF Dependent;
781
782 [Description (
783 "SequenceNumber indicates the ordering to be used when "
784 "selecting a PeerGateway instance for an IPsecTunnelAction. "
785 "Lower values are evaluated first."),
786 MappingStrings { "IPSP Policy Model.IETF|"
787 "PeerGatewayForTunnel.SequenceNumber" }]
788 uint16 SequenceNumber;
789 };
790
791
792 // ==================================================================
793 // IPsec phase 1 and 2 Proposals to be negotiated
794 // ==================================================================
795
796 // ==================================================================
797 // SAProposal
798 // ==================================================================
799 a.dunfey 1.1 [Abstract, Version ( "2.8.0" ), Description (
800 "SAProposal is a base class defining the common properties of, "
801 "and anchoring common associations for, IPsec phase 1 and phase "
802 "2 proposals. It is defined as a kind of ScopedSettingData "
803 "(scoped by a ComputerSystem or AdminDomain), since its "
804 "subclasses define sets of IPsec properties that MUST be "
805 "applied together, if negotiated. This subclassing is different "
806 "than that defined in IETF's IPSP Policy draft - where it is "
807 "subclassed from Policy. The definition as SettingData is more "
808 "consistent with the application of the properties as a set, to "
809 "the negotiated Security Association. To indicate that 'this' "
810 "proposaltransform is negotiated for a Security Association, "
811 "use the ElementSettingData to associate the proposal and the "
812 "SA."),
813 MappingStrings { "IPSP Policy Model.IETF|SAProposal" }]
814 class CIM_SAProposal : CIM_ScopedSettingData {
815 };
816
817
818 // ==================================================================
819 // ContainedProposal
820 a.dunfey 1.1 // ==================================================================
821 [Association, Aggregation, Version ( "2.8.0" ), Description (
822 "ContainedProposal holds an ordered list of SAProposals that "
823 "make up an SANegotiationAction. If the referenced "
824 "NegotiationAction is an IKEAction, then the SAProposal objects "
825 "MUST be IKEProposals. If the referenced NegotiationAction "
826 "object is an IPsecTransport/TunnelAction, then the referenced "
827 "SAProposal objects MUST be IPsecProposals."),
828 MappingStrings { "IPSP Policy Model.IETF|ContainedProposal" }]
829 class CIM_ContainedProposal : CIM_Component {
830
831 [Aggregate, Override ( "GroupComponent" ), Description (
832 "The SANegotiationAction containing a list of SAProposals."),
833 MappingStrings { "IPSP Policy "
834 "Model.IETF|ContainedProposal.GroupComponent" }]
835 CIM_SANegotiationAction REF GroupComponent;
836
837 [Override ( "PartComponent" ), Description (
838 "The SAProposal in this negotiation action."),
839 MappingStrings { "IPSP Policy "
840 "Model.IETF|ContainedProposal.PartComponent" }]
841 a.dunfey 1.1 CIM_SAProposal REF PartComponent;
842
843 [Description (
844 "SequenceNumber indicates the ordering to be used when "
845 "chosing from among the proposals. Lower-valued proposals "
846 "are preferred over proposals with higher values. For "
847 "ContainedProposals that reference the same "
848 "SANegotiationAction, SequenceNumber values MUST be unique."),
849 MappingStrings { "IPSP Policy "
850 "Model.IETF|ContainedProposal.SequenceNumber" }]
851 uint16 SequenceNumber;
852 };
853
854
855 // ==================================================================
856 // IKEProposal
857 // ==================================================================
858 [Version ( "2.8.0" ), Description (
859 "IKEProposal contains the parameters necessary to drive the "
860 "phase 1 IKE negotiation."),
861 MappingStrings { "IPSP Policy Model.IETF|IKEProposal" }]
862 a.dunfey 1.1 class CIM_IKEProposal : CIM_SAProposal {
863
864 [Description (
865 "MaxLifetimeSeconds specifies the maximum time the IKE "
866 "message sender proposes for an SA to be considered valid "
867 "after it has been created. A value of zero indicates that "
868 "the default of 8 hours be used. A non-zero value indicates "
869 "the maximum seconds lifetime."),
870 Units ( "Seconds" ),
871 MappingStrings { "IPSP Policy "
872 "Model.IETF|IKEProposal.MaxLifetimeSeconds" },
873 ModelCorrespondence {
874 "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }]
875 uint64 MaxLifetimeSeconds;
876
877 [Description (
878 "MaxLifetimeKilobytes specifies the maximum kilobyte "
879 "lifetime the IKE message sender proposes for an SA to be "
880 "considered valid after it has been created. A value of zero "
881 "(the default) indicates that there should be no maximum "
882 "kilobyte lifetime. A non-zero value specifies the desired "
883 a.dunfey 1.1 "kilobyte lifetime."),
884 Units ( "KiloBytes" ),
885 MappingStrings { "IPSP Policy "
886 "Model.IETF|IKEProposal.MaxLifetimeKilobytes" },
887 ModelCorrespondence {
888 "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }]
889 uint64 MaxLifetimeKilobytes;
890
891 [Description (
892 "CipherAlgorithm is an enumeration that specifies the "
893 "proposed encryption algorithm. The list of algorithms was "
894 "generated from Appendix A of RFC2409. Note that the "
895 "enumeration is different than the RFC list and aligns with "
896 "the values in IKESAEndpoint.CipherAlgorithm."),
897 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8..65000",
898 "65001..65535" },
899 Values { "Other", "DES", "IDEA", "Blowfish", "RC5", "3DES",
900 "CAST", "DMTF/IANA Reserved", "Vendor Reserved" },
901 MappingStrings { "IPSP Policy "
902 "Model.IETF|IKEProposal.CipherAlgorithm",
903 "RFC2409.IETF|Appendix A" },
904 a.dunfey 1.1 ModelCorrespondence { "CIM_IKESAEndpoint.CipherAlgorithm",
905 "CIM_IKEProposal.OtherCipherAlgorithm" }]
906 uint16 CipherAlgorithm;
907
908 [Description (
909 "Description of the encryption algorithm when the value 1 "
910 "(\"Other\") is specified for the property, CipherAlgorithm."),
911 ModelCorrespondence { "CIM_IKESAEndpoint.OtherCipherAlgorithm",
912 "CIM_IKEProposal.CipherAlgorithm" }]
913 string OtherCipherAlgorithm;
914
915 [Description (
916 "HashAlgorithm is an enumeration that specifies the proposed "
917 "hash function. The list of algorithms was generated from "
918 "Appendix A of RFC2409. Note that the enumeration is "
919 "different than the RFC list and aligns with the values in "
920 "IKESAEndpoint.HashAlgorithm."),
921 ValueMap { "1", "2", "3", "4", "5..65000", "65001..65535" },
922 Values { "Other", "MD5", "SHA-1", "Tiger", "DMTF/IANA Reserved",
923 "Vendor Reserved" },
924 MappingStrings { "IPSP Policy "
925 a.dunfey 1.1 "Model.IETF|IKEProposal.HashAlgorithm",
926 "RFC2409.IETF|Appendix A" },
927 ModelCorrespondence { "CIM_IKESAEndpoint.HashAlgorithm",
928 "CIM_IKEProposal.OtherHashAlgorithm" }]
929 uint16 HashAlgorithm;
930
931 [Description (
932 "Description of the hash function when the value 1 "
933 "(\"Other\") is specified for the property, HashAlgorithm."),
934 ModelCorrespondence { "CIM_IKESAEndpoint.OtherHashAlgorithm",
935 "CIM_IKEProposal.HashAlgorithm" }]
936 string OtherHashAlgorithm;
937
938 [Description (
939 "AuthenticationMethod is an enumeration that specifies the "
940 "proposed authentication. The list of methods was generated "
941 "from Appendix A of RFC2409. Note that the enumeration is "
942 "different than the RFC list and aligns with the values in "
943 "IKESAEndpoint.AuthenticationMethod. There is one change to "
944 "the list - the value 65000 has special meaning. It is a "
945 "special value that indicates that this particular proposal "
946 a.dunfey 1.1 "should be repeated once for each authentication method "
947 "corresponding to credentials installed on the machine. For "
948 "example, if the system has a pre-shared key and an "
949 "public-key certificate, a proposal list would be "
950 "constructed which includes a proposal that specifies a "
951 "pre-shared key and a proposal for any of the public-key "
952 "certificates."),
953 ValueMap { "1", "2", "3", "4", "5", "6", "7..64999", "65000",
954 "65001..65535" },
955 Values { "Other", "Pre-shared Key", "DSS Signatures",
956 "RSA Signatures", "Encryption with RSA",
957 "Revised Encryption with RSA", "DMTF/IANA Reserved", "Any",
958 "Vendor Reserved" },
959 MappingStrings { "IPSP Policy "
960 "Model.IETF|IKEProposal.AuthenticationMethod",
961 "RFC2409.IETF|Appendix A" },
962 ModelCorrespondence { "CIM_IKESAEndpoint.AuthenticationMethod",
963 "CIM_IKEProposal.OtherAuthenticationMethod" }]
964 uint16 AuthenticationMethod;
965
966 [Description (
967 a.dunfey 1.1 "Description of the method when the value 1 (\"Other\") is "
968 "specified for the property, AuthenticationMethod."),
969 ModelCorrespondence {
970 "CIM_IKESAEndpoint.OtherAuthenticationMethod",
971 "CIM_IKEProposal.AuthenticationMethod" }]
972 string OtherAuthenticationMethod;
973
974 [Description (
975 "The property GroupId specifies the proposed phase 1 "
976 "security association key exchange group. This property is "
977 "ignored for all aggressive mode exchanges "
978 "(IKEAction.ExchangeMode = 4). If the GroupID number is from "
979 "the vendor-specific range (32768-65535), the property "
980 "VendorID qualifies the group number. Well-known group "
981 "identifiers from RFC2412, Appendix E, are: Group 1='768 bit "
982 "prime', Group 2='1024 bit prime', Group 3 ='Elliptic Curve "
983 "Group with 155 bit field element', Group 4= 'Large Elliptic "
984 "Curve Group with 185 bit field element', and Group 5='1536 "
985 "bit prime'."),
986 ValueMap { "0", "1", "2", "3", "4", "5", "..", "0x8000.." },
987 Values { "No Group/Non-Diffie-Hellman Exchange",
988 a.dunfey 1.1 "DH-768 bit prime", "DH-1024 bit prime",
989 "EC2N-155 bit field element", "EC2N-185 bit field element",
990 "DH-1536 bit prime", "Standard Group - Reserved",
991 "Vendor Reserved" },
992 MappingStrings { "IPSP Policy Model.IETF|IKEProposal.GroupID",
993 "RFC2412.IETF|Appendix E" },
994 ModelCorrespondence { "CIM_IKESAEndpoint.GroupID",
995 "CIM_IKEProposal.VendorID" }]
996 uint16 GroupId;
997
998 [Description (
999 "VendorID identifies the vendor when the value of GroupID is "
1000 "in the vendor-specific range, 32768 to 65535."),
1001 ModelCorrespondence { "CIM_IKESAEndpoint.VendorID",
1002 "CIM_IKEProposal.GroupId" }]
1003 string VendorID;
1004 };
1005
1006
1007 // ==================================================================
1008 // IPsecProposal
1009 a.dunfey 1.1 // ==================================================================
1010 [Version ( "2.8.0" ), Description (
1011 "The class IPsecProposal adds no new properties, but inherits "
1012 "proposal properties from SAProposal as well as associating the "
1013 "security association transforms necessary for building an "
1014 "IPsec proposal (see the class ContainedTransform)."),
1015 MappingStrings { "IPSP Policy Model.IETF|IPsecProposal" }]
1016 class CIM_IPsecProposal : CIM_SAProposal {
1017 };
1018
1019
1020 // ==================================================================
1021 // ContainedTransform
1022 // ==================================================================
1023 [Association, Aggregation, Version ( "2.8.0" ), Description (
1024 "ContainedTransform associates a proposal with a list of "
1025 "transforms. If multiple transforms of a given type are "
1026 "included in a proposal, these transforms are interpreted as "
1027 "alternatives -- i.e., logically ORed with each other. The "
1028 "order of preference is dictated by the SequenceNumber "
1029 "property. Sets of transforms of different types are logically "
1030 a.dunfey 1.1 "ANDed. For example, a proposal based on two AH transforms and "
1031 "three ESP transforms means one of the AH AND one of the ESP "
1032 "transforms MUST be chosen. Note that at least 1 transform MUST "
1033 "be aggregated into the proposal."),
1034 MappingStrings { "IPSP Policy Model.IETF|ContainedTransform" }]
1035 class CIM_ContainedTransform : CIM_Component {
1036
1037 [Aggregate, Override ( "GroupComponent" ), Description (
1038 "The Proposal containing the transforms."),
1039 MappingStrings { "IPSP Policy Model.IETF|"
1040 "ContainedTransform.GroupComponent" }]
1041 CIM_IPsecProposal REF GroupComponent;
1042
1043 [Override ( "PartComponent" ), Min ( 1 ), Description (
1044 "Transforms in the proposal."),
1045 MappingStrings { "IPSP Policy Model.IETF|"
1046 "ContainedTransform.PartComponent" }]
1047 CIM_SATransform REF PartComponent;
1048
1049 [Description (
1050 "SequenceNumber indicates the order of preference for "
1051 a.dunfey 1.1 "SATransforms of the same type. Lower-valued transforms are "
1052 "preferred over transforms of the same type with higher "
1053 "values. For ContainedTransforms (of the same type) that "
1054 "reference the same IPsecProposal, SequenceNumber values "
1055 "MUST be unique."),
1056 MappingStrings { "IPSP Policy Model.IETF|"
1057 "ContainedTransform.SequenceNumber" }]
1058 uint16 SequenceNumber;
1059 };
1060
1061
1062 // ===================================================================
1063 // end of file
1064 // ===================================================================
|
Return to
CIM_IPsecPolicy.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIMPrelim291