GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc3585

Network Working Group J. Jason Request for Comments: 3585 Intel Corporation Category: Standards Track L. Rafalow

                                                                   IBM
                                                             E. Vyncke
                                                         Cisco Systems
                                                           August 2003
           IPsec Configuration Policy Information Model

Status of this Memo

 This document specifies an Internet standards track protocol for the
 Internet community, and requests discussion and suggestions for
 improvements.  Please refer to the current edition of the "Internet
 Official Protocol Standards" (STD 1) for the standardization state
 and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

 This document presents an object-oriented information model of IP
 Security (IPsec) policy designed to facilitate agreement about the
 content and semantics of IPsec policy, and enable derivations of
 task-specific representations of IPsec policy such as storage schema,
 distribution representations, and policy specification languages used
 to configure IPsec-enabled endpoints.  The information model
 described in this document models the configuration parameters
 defined by IPSec.  The information model also covers the parameters
 found by the Internet Key Exchange protocol (IKE).  Other key
 exchange protocols could easily be added to the information model by
 a simple extension.  Further extensions can further be added easily
 due to the object-oriented nature of the model.
 This information model is based upon the core policy classes as
 defined in the Policy Core Information Model (PCIM) and in the Policy
 Core Information Model Extensions (PCIMe).

Jason, et al. Standards Track [Page 1] RFC 3585 IPsec Configuration Policy Model August 2003

Table of Contents

 1.  Introduction..................................................  3
 2.  UML Conventions...............................................  4
 3.  IPsec Policy Model Inheritance Hierarchy......................  6
 4.  Policy Classes................................................ 11
     4.1.  The Class SARule........................................ 13
     4.2.  The Class IKERule....................................... 17
     4.3.  The Class IPsecRule..................................... 18
     4.4.  The Association Class IPsecPolicyForEndpoint............ 18
     4.5.  The Association Class IPsecPolicyForSystem.............. 19
     4.6.  The Aggregation Class SAConditionInRule................. 19
     4.7.  The Aggregation Class PolicyActionInSARule.............. 20
 5.  Condition and Filter Classes.................................. 22
     5.1.  The Class SACondition................................... 23
     5.2.  The Class IPHeadersFilter............................... 23
     5.3.  The Class CredentialFilterEntry......................... 23
     5.4.  The Class IPSOFilterEntry............................... 25
     5.5.  The Class PeerIDPayloadFilterEntry...................... 26
     5.6.  The Association Class FilterOfSACondition............... 28
     5.7.  The Association Class AcceptCredentialFrom.............. 29
 6.  Action Classes................................................ 30
     6.1.  The Class SAAction...................................... 32
     6.2.  The Class SAStaticAction................................ 33
     6.3.  The Class IPsecBypassAction............................. 34
     6.4.  The Class IPsecDiscardAction............................ 34
     6.5.  The Class IKERejectAction............................... 35
     6.6.  The Class PreconfiguredSAAction......................... 35
     6.7.  The Class PreconfiguredTransportAction.................. 36
     6.8.  The Class PreconfiguredTunnelAction..................... 37
     6.9.  The Class SANegotiationAction........................... 37
     6.10. The Class IKENegotiationAction.......................... 38
     6.11. The Class IPsecAction................................... 39
     6.12. The Class IPsecTransportAction.......................... 41
     6.13. The Class IPsecTunnelAction............................. 42
     6.14. The Class IKEAction..................................... 42
     6.15. The Class PeerGateway................................... 44
     6.16. The Association Class PeerGatewayForTunnel.............. 45
     6.17. The Aggregation Class ContainedProposal................. 46
     6.18. The Association Class HostedPeerGatewayInformation...... 47
     6.19. The Association Class TransformOfPreconfiguredAction.... 48
     6.20  The Association Class PeerGatewayForPreconfiguredTunnel. 49
 7.  Proposal and Transform Classes................................ 50
     7.1.  The Abstract Class SAProposal........................... 50
     7.2.  The Class IKEProposal................................... 51
     7.3.  The Class IPsecProposal................................. 54
     7.4.  The Abstract Class SATransform.......................... 54
     7.5.  The Class AHTransform................................... 56

Jason, et al. Standards Track [Page 2] RFC 3585 IPsec Configuration Policy Model August 2003

     7.6.  The Class ESPTransform.................................. 57
     7.7.  The Class IPCOMPTransform............................... 59
     7.8.  The Association Class SAProposalInSystem................ 60
     7.9.  The Aggregation Class ContainedTransform................ 60
     7.10. The Association Class SATransformInSystem............... 62
 8.  IKE Service and Identity Classes.............................. 63
     8.1.  The Class IKEService.................................... 64
     8.2.  The Class PeerIdentityTable............................. 64
     8.3.  The Class PeerIdentityEntry............................. 65
     8.4.  The Class AutostartIKEConfiguration..................... 66
     8.5.  The Class AutostartIKESetting........................... 67
     8.6.  The Class IKEIdentity................................... 69
     8.7.  The Association Class HostedPeerIdentityTable........... 71
     8.8.  The Aggregation Class PeerIdentityMember................ 71
     8.9.  The Association Class IKEServicePeerGateway............. 72
     8.10. The Association Class IKEServicePeerIdentityTable....... 73
     8.11. The Association Class IKEAutostartSetting............... 73
     8.12. The Aggregation Class AutostartIKESettingContext........ 74
     8.13. The Association Class IKEServiceForEndpoint............. 75
     8.14. The Association Class IKEAutostartConfiguration......... 76
     8.15. The Association Class IKEUsesCredentialManagementService 77
     8.16. The Association Class EndpointHasLocalIKEIdentity....... 77
     8.17. The Association Class CollectionHasLocalIKEIdentity..... 78
     8.18. The Association Class IKEIdentitysCredential............ 79
 9.  Implementation Requirements................................... 79
 10. Security Considerations....................................... 84
 11. Intellectual Property Statement............................... 84
 12. References ................................................... 85
     12.1. Normative References.................................... 85
     12.2. Informative References.................................. 86
 13. Disclaimer.................................................... 86
 14. Acknowledgments............................................... 86
 15. Authors' Addresses............................................ 87
 16. Full Copyright Statement...................................... 88

1. Introduction

 IP security (IPsec) policy may assume a variety of forms as it
 travels from storage, to distribution, to decision points.  At each
 step, it needs to be represented in a way that is convenient for the
 current task.  For example, the policy could exist as, but is not
 limited to:
 o  A Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a
    directory.
 o  An on-the-wire representation over a transport protocol like the
    Common Object Policy Service (COPS) [COPS, COPSPR].

Jason, et al. Standards Track [Page 3] RFC 3585 IPsec Configuration Policy Model August 2003

 o  A text-based policy specification language suitable for editing by
    an administrator.
 o  An Extensible Markup Language (XML) document.
 Each of these task-specific representations should be derived from a
 canonical representation that precisely specifies the content and
 semantics of the IPsec policy.  This document captures this concept
 and introduces a task-independent canonical representation for IPsec
 policies.
 This document focuses mainly on the existing protocols [COMP, ESP,
 AH, DOI, IKE].  The model can easily be extended if needed due to its
 object-oriented nature.
 This document is organized as follows:
 o  Section 2 provides a quick introduction to the Unified Modeling
    Language (UML) graphical notation conventions used in this
    document.
 o  Section 3 provides the inheritance hierarchy that describes where
    the IPsec policy classes fit into the policy class hierarchy
    already defined by the Policy Core Information Model (PCIM) and
    Policy Core Information Model Extensions (PCIMe).
 o  Sections 4 through 8 describe the classes that make up the IPsec
    policy model.
 o  Section 9 presents the implementation requirements for the classes
    in the model (i.e., the MUST/MAY/SHOULD status).
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in [KEYWORDS].

2. UML Conventions

 For this document, a UML static class diagram was chosen as the
 canonical representation for the IPsec policy model, because UML
 provides a graphical, task-independent way to model systems.  A
 treatise on the graphical notation used in UML is beyond the scope of
 this paper.  However, given the use of ASCII drawing for UML static
 class diagrams, a description of the notational conventions used in
 this document is in order:

Jason, et al. Standards Track [Page 4] RFC 3585 IPsec Configuration Policy Model August 2003

 o  Boxes represent classes, with class names in brackets ([])
    representing an abstract class.
 o  A line that terminates with an arrow (<, >, ^, v) denotes
    inheritance.  The arrow always points to the parent class.
    Inheritance can also be called generalization or specialization
    (depending upon the reference point).  A base class is a
    generalization of a derived class, and a derived class is a
    specialization of a base class.
 o  Associations are used to model a relationship between two classes.
    Classes that share an association are connected using a line.  A
    special kind of association is also used:  an aggregation.  An
    aggregation models a whole-part relationship between two classes.
    Associations, and therefore aggregations, are also modeled as
    classes.
 o  A line that begins with an "o" denotes aggregation.  Aggregation
    denotes containment in which the contained class and the
    containing class have independent lifetimes.
 o  At each end of a line representing an association appears a
    cardinality (i.e., each association has 2 cardinalities).
    Cardinalities indicate the constraints on the number of object
    instances in a set of relationships.  The cardinality on a given
    end of an association indicates the number of different object
    instances of that class that may be associated with a single
    object instance of the class on the other end of the association.
    The cardinality may be:
  1. a range in the form "lower bound..upper bound" indicating the

minimum and maximum number of objects.

  1. a number that indicates the exact number of objects.
  1. an asterisk indicating any number of objects, including zero.

An asterisk is shorthand for 0..n.

  1. the letter n indicating from 1 to many. The letter n is

shorthand for 1..n.

 o  A class that has an association may have a "w" next to the line
    representing the association.  This is called a weak association
    and is discussed in [PCIM].
 It should be noted that the UML static class diagram presented is a
 conceptual view of IPsec policy designed to aid in understanding.  It
 does not necessarily get translated class for class into another

Jason, et al. Standards Track [Page 5] RFC 3585 IPsec Configuration Policy Model August 2003

 representation.  For example, an LDAP implementation may flatten out
 the representation to fewer classes (because of the inefficiency of
 following references).

3. IPsec Policy Model Inheritance Hierarchy

 Like PCIM and PCIMe, the IPsec Configuration Policy Model derives
 from and uses classes defined in the DMTF [DMTF] Common Information
 Model (CIM).  The following tree represents the inheritance hierarchy
 for the IPsec Policy Model classes and how they fit into PCIM, PCIMe
 and the other DMTF models (see Appendices for descriptions of classes
 that are not being introduced as part of IPsec model).  CIM classes
 that are not used as a superclass to derive new classes, but are used
 only as references, are not included in this inheritance hierarchy,
 but can be found in the appropriate DMTF document:  Core Model
 [CIMCORE], User Model [CIMUSER] or, Network Model [CIMNETWORK].
       ManagedElement (DMTF Core Model)
       |
       +--Collection (DMTF Core Model)
       |  |
       |  +--PeerIdentityTable
       |
       +--ManagedSystemElement (DMTF Core Model)
       |  |
       |  +--LogicalElement (DMTF Core Model)
       |     |
       |     +--FilterEntryBase (DMTF Network Model)
       |     |  |
       |     |  +--CredentialFilterEntry
       |     |  |
       |     |  +--IPHeadersFilter (PCIMe)
       |     |  |
       |     |  +--IPSOFilterEntry
       |     |  |
       |     |  +--PeerIDPayloadFilterEntry
       |     |
       |     +--PeerGateway
       |     |
       |     +--PeerIdentityEntry
       |     |
       |     +--Service (DMTF Core Model)
       |        |
       |        +--IKEService
       |

Jason, et al. Standards Track [Page 6] RFC 3585 IPsec Configuration Policy Model August 2003

       +--OrganizationalEntity (DMTF User Model)
       |  |
       |  +--UserEntity (DMTF User Model)
       |     |
       |     +--UsersAccess (DMTF User Model)
       |        |
       |        +--IKEIdentity
       |
       +--Policy (PCIM)
       |  |
       |  +--PolicyAction (PCIM)
       |  |  |
       |  |  +--CompoundPolicyAction (PCIMe)
       |  |  |
       |  |  +--SAAction
       |  |     |
       |  |     +--SANegotiationAction
       |  |     |  |
       |  |     |  +--IKENegotiationAction
       |  |     |     |
       |  |     |     +--IKEAction
       |  |     |     |
       |  |     |     +--IPsecAction
       |  |     |        |
       |  |     |        +--IPsecTransportAction
       |  |     |        |
       |  |     |        +--IPsecTunnelAction
       |  |     |
       |  |     +--SAStaticAction
       |  |        |
       |  |        +--IKERejectAction
       |  |        |
       |  |        +--IPsecBypassAction
       |  |        |
       |  |        +--IPsecDiscardAction
       |  |        |
       |  |        +--PreconfiguredSAAction
       |  |           |
       |  |           +--PreconfiguredTransportAction
       |  |           |
       |  |           +--PreconfiguredTunnelAction
       |  |
       |  +--PolicyCondition (PCIM)
       |  |  |
       |  |  +--SACondition
       |  |
       |  +--PolicySet (PCIMe)
       |  |  |

Jason, et al. Standards Track [Page 7] RFC 3585 IPsec Configuration Policy Model August 2003

       |  |  +--PolicyGroup (PCIM & PCIMe)
       |  |  |
       |  |  +--PolicyRule (PCIM & PCIMe)
       |  |     |
       |  |     +--SARule
       |  |        |
       |  |        +--IKERule
       |  |        |
       |  |        +--IPsecRule
       |  |
       |  +--SAProposal
       |  |  |
       |  |  +--IKEProposal
       |  |  |
       |  |  +--IPsecProposal
       |  |
       |  +--SATransform
       |     |
       |     +--AHTransform
       |     |
       |     +--ESPTransform
       |     |
       |     +--IPCOMPTransform
       |
       +--Setting (DMTF Core Model)
       |  |
       |  +--SystemSetting (DMTF Core Model)
       |     |
       |     +--AutostartIKESetting
       |
       +--SystemConfiguration (DMTF Core Model)
          |
          +--AutostartIKEConfiguration
 The following tree represents the inheritance hierarchy of the IPsec
 policy model association classes and how they fit into PCIM and the
 other DMTF models (see Appendices for description of association
 classes that are not being introduced as part of IPsec model).
       Dependency (DMTF Core Model)
       |
       +--AcceptCredentialsFrom
       |
       +--ElementAsUser (DMTF User Model)
       |  |
       |  +--EndpointHasLocalIKEIdentity
       |  |
       |  +--CollectionHasLocalIKEIdentity

Jason, et al. Standards Track [Page 8] RFC 3585 IPsec Configuration Policy Model August 2003

       |
       +--FilterOfSACondition
       |
       +--HostedPeerGatewayInformation
       |
       +--HostedPeerIdentityTable
       |
       +--IKEAutostartConfiguration
       |
       +--IKEServiceForEndpoint
       |
       +--IKEServicePeerGateway
       |
       +--IKEServicePeerIdentityTable
       |
       +--IKEUsesCredentialManagementService
       |
       +--IPsecPolicyForEndpoint
       |
       +--IPsecPolicyForSystem
       |
       +--PeerGatewayForPreconfiguredTunnel
       |
       +--PeerGatewayForTunnel
       |
       +--PolicyInSystem (PCIM)
       |  |
       |  +--SAProposalInSystem
       |  |
       |  +--SATransformInSystem
       |
       +--TransformOfPreconfiguredAction
       |
       +--UsersCredential (DMTF User Model)
          |
          +--IKEIdentitysCredential
       ElementSetting (DMTF Core Model)
       |
       +--IKEAutostartSetting
       MemberOfCollection (DMTF Core Model)
       |
       +--PeerIdentityMember
       PolicyComponent (PCIM)
       |

Jason, et al. Standards Track [Page 9] RFC 3585 IPsec Configuration Policy Model August 2003

       +--ContainedProposal
       |
       +--ContainedTransform
       |
       +--PolicyActionStructure (PCIMe)
       |  |
       |  +--PolicyActionInPolicyRule (PCIM & PCIMe)
       |     |
       |     +--PolicyActionInSARule
       |
       +--PolicyConditionStructure (PCIMe)
       |  |
       |  +--PolicyConditionInPolicyRule (PCIM & PCIMe)
       |     |
       |     +--SAConditionInRule
       |
       +--PolicySetComponent (PCIMe)
       SystemSettingContext (DMTF Core Model)
       |
       +--AutostartIKESettingContext

Jason, et al. Standards Track [Page 10] RFC 3585 IPsec Configuration Policy Model August 2003

4. Policy Classes

 The IPsec policy classes represent the set of policies that are
 contained on a system.
                                +--------------+
                                | [PolicySet]  |*
                                |  ([PCIME])   |o--+
                                +--------------+   |
                                       ^   *|      |(a)
                                       |    +------+
            +--------------------------+
            |                          |
     +-------------+            +--------------+
     | PolicyGroup |0..1        |  PolicyRule  |*
     |  ([PCIM])   |-----+      |  ([PCIM])    |o--+
     +-------------+     |      +--------------+   |(d)
        0..1|            |            ^            |
            |(b)         |            |            |*
           *|            |            | +---------------------------+
 +--------------------+  |(c)         | | PolicyTimePeriodCondition |
 | IPProtocolEndpoint |  |            | |         ([PCIM])          |
 |   ([CIMNETWORK])   |  |            | +---------------------------+
 +--------------------+  |            |
       +------------+    |      *+----------+*
       |   System   |----+    +-o|  SARule  |o-------+
       | ([CIMCORE])|*        |  +----------+        |(f)
       +------------+         |       ^              |
                           (e)|       |              |n
       +-------------+n       |       |        +--------------+
       | SACondition |--------+       |        |[PolicyAction]|
       +-------------+                |        |   ([PCIM])   |
                                      |        +--------------+
                                      |          *|        ^
                                      |           |(g)     |
                                      |           |        +-------+
                                      |          *o        |       |
                                      |  +----------------------+  |
                                      |  | CompoundPolicyAction |  |
                                      |  |       ([PCIME])      |  |
                                      |  +----------------------+  |
                                      |                            |
                            +---------+----+             +---------+
                            |              |             |
                       +---------+   +-----------+   +----------+
                       | IKERule |   | IPsecRule |   | SAAction |
                       +---------+   +-----------+   +----------+

Jason, et al. Standards Track [Page 11] RFC 3585 IPsec Configuration Policy Model August 2003

    (a)  PolicySetComponent ([PCIME])
    (b)  IPsecPolicyForEndpoint
    (c)  IPsecPolicyForSystem
    (d)  PolicyRuleValidityPeriod ([PCIM])
    (e)  SAConditionInRule
    (f)  PolicyActionInSARule
    (g)  PolicyActionInPolicyAction ([PCIME])
 A PolicyGroup represents the set of policies that are used on an
 interface.   This PolicyGroup SHOULD be associated either directly
 with the IPProtocolEndpoint class instance that represents the
 interface (via the IPsecPolicyForEndpoint association) or indirectly
 (via the IPsecPolicyForSystem association) associated with the System
 that hosts the interface.
 The IKE and IPsec rules are used to build or to negotiate the IPsec
 Security Association Database (SADB).  The IPsec rules represent the
 Security Policy Database.  The SADB itself is not modeled by this
 document.
 The IKE and IPsec rules can be described as (also see section 6 about
 actions):
 o  An egress unprotected packet will first be checked against the
    IPsec rules.  If a match is found, the SADB will be checked.  If
    there is no corresponding IPsec SA in the SADB, and if IKE
    negotiation is required by the IPsec rule, the corresponding IKE
    rules will be used.  The negotiated or preconfigured SA will then
    be installed in the SADB.
 o  An ingress unprotected packet will first be checked against the
    IPsec rules.  If a match is found, the SADB will be checked for a
    corresponding IPsec SA.  If there is no corresponding IPsec SA and
    a preconfigured SA exists, this preconfigured SA will be installed
    in the IPsec SADB.  This behavior should only apply to bypass and
    discard actions.
 o  An ingress protected packet will first be checked against the
    IPsec rules.  If a match is found, the SADB will be checked for a
    corresponding IPsec SA.  If there is no corresponding IPsec SA and
    a preconfigured SA exists, this preconfigured SA will be installed
    in the IPsec SADB.
 o  An ingress IKE negotiation packet, which is not part of an
    existing IKE SA, will be checked against the IKE rules.  The
    SACondition for the IKERule will usually be composed of a
    PeerIDPayloadFilterEntry (typically for an aggressive mode IKE

Jason, et al. Standards Track [Page 12] RFC 3585 IPsec Configuration Policy Model August 2003

    negotiation) or an IPHeadersFilter.  The negotiated SA will then
    be installed in the SADB.
 It is expected that when an IKE negotiation is required to be
 initiated by an IPsec rule, the set of IKE rules will be checked.
 The IKE rules check will be based on the outgoing IKE packet using
 IPHeadersFilter entries (typically using the HdrDstAddress property).

4.1. The Class SARule

 The class SARule serves as a base class for IKERule and IPsecRule.
 Even though the class is concrete, it MUST not be instantiated.  It
 defines a common connection point for associations to conditions and
 actions for both types of rules.  Through its derivation from
 PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
 the PolicyRuleValidityPeriod association.
 Each SARule in a valid PolicyGroup MUST have a unique associated
 priority number in the PolicySetComponent.Priority.  The class
 definition for SARule is as follows:
    NAME         SARule
    DESCRIPTION  A base class for IKERule and IPsecRule.
    DERIVED FROM PolicyRule (see [PCIM] & [PCIME])
    ABSTRACT     FALSE
    PROPERTIES   PolicyRuleName (from PolicyRule)
                 Enabled (from PolicyRule)
                 ConditionListType (from PolicyRule)
                 RuleUsage (from PolicyRule)
                 Mandatory (from PolicyRule)
                 SequencedActions (from PolicyRule)
                 ExecutionStrategy (from PolicyRule)
                 PolicyRoles (from PolicySet)
                 PolicyDecisionStrategy (from PolicySet)
                 LimitNegotiation

4.1.1. The Properties PolicyRuleName, Enabled, ConditionListType,

     RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
     PolicyDecisionStrategy
 For a description of these properties, see [PCIM] and [PCIME].
 In SARule subclass instances:
  1. if the property Mandatory exists, it MUST be set to "true".
  1. if the property SequencedActions exists, it MUST be set to

"mandatory".

Jason, et al. Standards Track [Page 13] RFC 3585 IPsec Configuration Policy Model August 2003

  1. the property PolicyRoles is not used in the device-level model.
  1. if the property PolicyDecisionStrategy exists, it must be set to

"FirstMatching".

4.1.2. The Property ExecutionStrategy

 The ExecutionStrategy properties in the PolicyRule subclasses (and in
 the CompoundPolicyAction class) determine the behavior of the
 contained actions.  It defines the strategy to be used in executing
 the sequenced actions aggregated by a rule or a compound action.  In
 the case of actions within a rule, the PolicyActionInSARule
 aggregation is used to collect the actions into an ordered set; in
 the case of a compound action, the PolicyActionInPolicyAction
 aggregation is used to collect the actions into an ordered subset.
 There are three execution strategies: do until success, do all, and
 do until failure.
 "Do Until Success" causes the execution of actions according to the
 ActionOrder property in the aggregation instances until a successful
 execution of a single action.  These actions may be evaluated to
 determine if they are appropriate to execute rather than blindly
 trying each of the actions until one succeeds.  For an initiator,
 they are tried in the ActionOrder until the list is exhausted or one
 completes successfully.  For example, an IKE initiator may have
 several IKEActions for the same SACondition.  The initiator will try
 all IKEActions in the order defined by ActionOrder.  I.e., it will
 possibly try several phase 1 negotiations with different modes (main
 mode then aggressive mode) and/or with multiple IKE peers.  For a
 responder, when there is more than one action in the rule with "do
 until success" condition clause, this provides alternative actions
 depending on the received proposals.  For example, the same IKERule
 may be used to handle aggressive mode and main mode negotiations with
 different actions.  The responder uses the first appropriate action
 in the list of actions.
 "Do All" causes the execution of all the actions in the aggregated
 set according to their defined order.  The execution continues
 regardless of failures.
 "Do Until Failure" causes the execution of all actions according to a
 predefined order until the first failure in execution of an action
 instance.  Please note that if all actions are successful, then the
 aggregated result is a failure.  This execution strategy is inherited
 from [PCIME] and is not expected to be of any use for IPsec
 configuration.

Jason, et al. Standards Track [Page 14] RFC 3585 IPsec Configuration Policy Model August 2003

 For example, in a nested SAs case, the actions of an initiator's rule
 might be structured as:
 IPsecRule.ExecutionStrategy='Do All'
 |
 +---1--- IPsecTunnelAction    // set up SA from host to gateway
 |
 +---2--- IPsecTransportAction // set up SA from host through
                               // tunnel to remote host
 Another example, showing a rule with fallback actions might be
 structured as:
 IPsecRule.ExecutionStrategy='Do Until Success'
 |
 +---6--- IPsecTransportAction // negotiate SA with peer
 |
 +---9--- IPsecBypassAction    // but if you must, allow in the clear
 The CompoundPolicyAction class (See [PCIME]) may be used in
 constructing the actions of IKE and IPsec rules when those rules
 specify both multiple actions and fallback actions.  The
 ExecutionStrategy property in CompoundPolicyAction is used in
 conjunction with that in the PolicyRule.
 For example, in nesting SAs with a fallback security gateway, the
 actions of a rule might be structured as:
 IPsecRule.ExecutionStrategy='Do All'
 |
 +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success'
 |        |
 |        +---1--- IPsecTunnelAction  // set up SA from host to
 |        |                           // gateway1
 |        |
 |        +---2--- IPsecTunnelAction  // or set up SA to gateway2
 |
 +---2--- IPsecTransportAction        // then set up SA from host
                                      // through tunnel to remote
                                      // host
 In the case of "Do All", a couple of actions can be executed
 successfully before a subsequent action fails.  In this case, some
 IKE or IPsec actions may have resulted in SAs creation.  Even if the
 net effect of the aggregated actions is failure, those created SAs
 MAY be kept or MAY be deleted.

Jason, et al. Standards Track [Page 15] RFC 3585 IPsec Configuration Policy Model August 2003

 In the case of "Do All", the IPsec selectors to be used during IPsec
 SA negotiation are:
  1. for the last IPsecAction of the aggregation (i.e., usually the

innermost IPsec SA): this is the combination of the

    IPHeadersFilter class and of the Granularity property of the
    IPsecAction.
  1. for all other IPsecActions of the aggregation: the selector is the

source IP address which is the local IP address, and the

    destination IP address is the PeerGateway IP address of the
    following IPsecAction of the "Do All" aggregation.  NB: the
    granularity is IP address to IP address.
 If the above behavior is not desirable, the alternative is to define
 several SARules, one for each IPsec SA to be built.  This will allow
 the definition of specific IPsec selectors for all IPsecActions.

4.1.3 The Property LimitNegotiation

 The property LimitNegotiation is used as part of processing either an
 IKE or an IPsec rule.
 Before proceeding with a phase 1 negotiation, this property is
 checked to determine whether the negotiation role of the rule matches
 that defined for the negotiation being undertaken (e.g., Initiator,
 Responder, or Both).  If this check fails (e.g., the current role is
 IKE responder, while the rule specifies IKE initiator), then the IKE
 negotiation is stopped.  Note that this only applies to new IKE phase
 1 negotiations and has no effect on either renegotiation or refresh
 operations with peers for which an established SA already exists.
 Before proceeding with a phase 2 negotiation, the LimitNegotiation
 property of the IPsecRule is first checked to determine if the
 negotiation role indicated for the rule matches that of the current
 negotiation (Initiator, Responder, or Either).  Note that this limit
 applies only to new phase 2 negotiations.  It is ignored when an
 attempt is made to refresh an expiring SA (either side can initiate a
 refresh operation).  The IKE system can determine that the
 negotiation is a refresh operation by checking to see if the selector
 information matches that of an existing SA.  If LimitNegotiation does
 not match and the selector corresponds to a new SA, the negotiation
 is stopped.

Jason, et al. Standards Track [Page 16] RFC 3585 IPsec Configuration Policy Model August 2003

 The property is defined as follows:
    NAME         LimitNegotiation
    DESCRIPTION  Limits the role to be undertaken during negotiation.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - initiator-only
                 2 - responder-only
                 3 - both

4.2. The Class IKERule

 The class IKERule associates Conditions and Actions for IKE phase 1
 negotiations.  The class definition for IKERule is as follows:
    NAME         IKERule
    DESCRIPTION  Associates Conditions and Actions for IKE phase 1
                 negotiations.
    DERIVED FROM SARule
    ABSTRACT     FALSE
    PROPERTIES   same as SARule, plus
                 IdentityContexts

4.2.1. The Property IdentityContexts

 The IKE service of a security endpoint may have multiple identities
 for use in different situations.  The combination of the interface
 (represented by the IPProtocolEndpoint or by a collection of
 IPProtocolEndpoints), the identity type (as specified in the
 IKEAction), and the IdentityContexts specifies a unique identity.
 The IdentityContexts property specifies the context to select the
 relevant IKE identity to be used during the further IKEAction.  A
 context may be a VPN name or other identifier for selecting the
 appropriate identity for use on the protected IPProtocolEndpoint (or
 collection of IPProtocolEndpoints).
 IdentityContexts is an array of strings.  The multiple values in the
 array are logically ORed together in evaluating the IdentityContexts.
 Each value in the array may be the composition of multiple context
 names.  So, a single value may be a single context name (e.g.,
 "CompanyXVPN"), or it may be combination of contexts.  When an array
 value is a composition, the individual values are logically ANDed
 together for evaluation purposes and the syntax is:
    <ContextName>[&&<ContextName>]*
 where the individual context names appear in alphabetical order
 (according to the collating sequence for UCS-2).  So, for example,

Jason, et al. Standards Track [Page 17] RFC 3585 IPsec Configuration Policy Model August 2003

 the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
 "CompanyZVPN&&Confidential" means that, for the appropriate
 IPProtocolEndpoint and IdentityType, the contexts are matched if the
 identity specifies "CompanyXVPN", "CompanyYVPN&&TopSecret", or
 "CompanyZVPN&&Confidential".
 The property is defined as follows:
    NAME         IdentityContexts
    DESCRIPTION  Specifies the context in which to select the IKE
                 identity.
    SYNTAX       string array

4.3. The Class IPsecRule

 The class IPsecRule associates Conditions and Actions for IKE phase 2
 negotiations for the IPsec DOI.  The class definition for IPsecRule
 is as follows:
    NAME         IPsecRule
    DESCRIPTION  Associates Conditions and Actions for IKE phase 2
                 negotiations for the IPsec DOI.
    DERIVED FROM SARule
    ABSTRACT     FALSE
    PROPERTIES   same as SARule

4.4. The Association Class IPsecPolicyForEndpoint

 The class IPsecPolicyForEndpoint associates a PolicyGroup with a
 specific network interface.  If an IPProtocolEndpoint of a system
 does not have an IPsecPolicyForEndpoint-associated PolicyGroup, then
 the IPsecPolicyForSystem associated PolicyGroup is used for that
 endpoint.  The class definition for IPsecPolicyForEndpoint is as
 follows:
    NAME         IPsecPolicyForEndpoint
    DESCRIPTION  Associates a policy group to a network interface.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent[ref IPProtocolEndpoint[0..n]]
                 Dependent[ref PolicyGroup[0..1]]

4.4.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to an IPProtocolEndpoint instance.  The [0..n]
 cardinality indicates that a PolicyGroup instance may be associated
 with zero or more IPProtocolEndpoint instances.

Jason, et al. Standards Track [Page 18] RFC 3585 IPsec Configuration Policy Model August 2003

4.4.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a PolicyGroup instance.  The [0..1] cardinality indicates
 that an IPProtocolEndpoint instance may have an association to at
 most one PolicyGroup instance.

4.5. The Association Class IPsecPolicyForSystem

 The class IPsecPolicyForSystem associates a PolicyGroup with a
 specific system.  If an IPProtocolEndpoint of a system does not have
 an IPsecPolicyForEndpoint-associated PolicyGroup, then the
 IPsecPolicyForSystem associated PolicyGroup is used for that
 endpoint.  The class definition for IPsecPolicyForSystem is as
 follows:
    NAME         IPsecPolicyForSystem
    DESCRIPTION  Default policy group for a system.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent[ref System[0..n]]
                 Dependent[ref PolicyGroup[0..1]]

4.5.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a System instance.  The [0..n] cardinality
 indicates that a PolicyGroup instance may have an association to zero
 or more System instances.

4.5.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a PolicyGroup instance.  The [0..1] cardinality indicates
 that a System instance may have an association to at most one
 PolicyGroup instance.

4.6. The Aggregation Class SAConditionInRule

 The class SAConditionInRule associates an SARule with the SACondition
 instance(s) that trigger(s) it.  The class definition for
 SAConditionInRule is as follows:
    NAME         SAConditionInRule
    DESCRIPTION  Associates an SARule with the SACondition instance(s)
                 that trigger(s) it.
    DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIME])
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 19] RFC 3585 IPsec Configuration Policy Model August 2003

    PROPERTIES   GroupNumber (from PolicyConditionInPolicyRule)
                 ConditionNegated (from PolicyConditionInPolicyRule)
                 GroupComponent [ref SARule [0..n]]
                 PartComponent [ref SACondition [1..n]]

4.6.1. The Properties GroupNumber and ConditionNegated

 For a description of these properties, see [PCIM].

4.6.2. The Reference GroupComponent

 The property GroupComponent is inherited from
 PolicyConditionInPolicyRule and is overridden to refer to an SARule
 instance.  The [0..n] cardinality indicates that an SACondition
 instance may be contained in zero or more SARule instances.

4.6.3. The Reference PartComponent

 The property PartComponent is inherited from
 PolicyConditionInPolicyRule and is overridden to refer to an
 SACondition instance.  The [1..n] cardinality indicates that an
 SARule instance MUST contain at least one SACondition instance.

4.7. The Aggregation Class PolicyActionInSARule

 The PolicyActionInSARule class associates an SARule with one or more
 PolicyAction instances.  In all cases where an SARule is being used,
 the contained actions MUST be either subclasses of SAAction or
 instances of CompoundPolicyAction.  For an IKERule, the contained
 actions MUST be related to phase 1 processing, i.e., IKEAction or
 IKERejectAction.  Similarly, for an IPsecRule, contained actions MUST
 be related to phase 2 or preconfigured SA processing, e.g.,
 IPsecTransportAction, IPsecBypassAction, etc.  The class definition
 for PolicyActionInSARule is as follows:
    NAME         PolicyActionInSARule
    DESCRIPTION  Associates an SARule with its PolicyAction(s).
    DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIME])
    ABSTRACT     FALSE
    PROPERTIES   GroupComponent [ref SARule [0..n]]
                 PartComponent [ref PolicyAction [1..n]]
                 ActionOrder (from PolicyActionInPolicyRule)

Jason, et al. Standards Track [Page 20] RFC 3585 IPsec Configuration Policy Model August 2003

4.7.1. The Reference GroupComponent

 The property GroupComponent is inherited from
 PolicyActionInPolicyRule and is overridden to refer to an SARule
 instance.  The [0..n] cardinality indicates that an SAAction instance
 may be contained in zero or more SARule instances.

4.7.2. The Reference PartComponent

 The property PartComponent is inherited from PolicyActionInPolicyRule
 and is overridden to refer to an SAAction or CompoundPolicyAction
 instance.  The [1..n] cardinality indicates that an SARule instance
 MUST contain at least one SAAction or CompoundPolicyAction instance.

4.7.3. The Property ActionOrder

 The property ActionOrder is inherited from the superclass
 PolicyActionInPolicyRule.  It specifies the relative position of this
 PolicyAction in the sequence of actions associated with a PolicyRule.
 The ActionOrder MUST be unique so as to provide a deterministic
 order.  In addition, the actions in an SARule are executed as
 follows.  See section 4.2.2, ExecutionStrategy, for a discussion on
 the use of the ActionOrder property.
 The property is defined as follows:
    NAME         ActionOrder
    DESCRIPTION  Specifies the order of actions.
    SYNTAX       unsigned 16-bit integer
    VALUE        Any value between 1 and 2^16-1 inclusive.  Lower
                 values have higher precedence (i.e., 1 is the
                 highest precedence).  The merging order of two
                 SAActions with the same precedence is undefined.

Jason, et al. Standards Track [Page 21] RFC 3585 IPsec Configuration Policy Model August 2003

5. Condition and Filter Classes

 The IPsec condition and filter classes are used to build the "if"
 part of the IKE and IPsec rules.
  • +————-+

+——————–| SACondition |

 |                    +-------------+
 |                         * |
 |                           |(a)
 |                         1 |
 |                   +---------------+
 |                   |  FilterList   |
 |                   |([CIMNETWORK]) |
 |                   +---------------+
 |                         1 o
 |(b)                        |(c)
 |                         * |
 |                   +-----------------+
 |                   | FilterEntryBase |
 |                   | ([CIMNETWORK])  |
 |                   +-----------------+
 |                           ^
 |                           |
 |    +-----------------+    |    +-----------------------+
 |    | IPHeadersFilter |----+----| CredentialFilterEntry |
 |    |   ([PCIME])     |    |    +-----------------------+
 |    +-----------------+    |
 |                           |
 |    +-----------------+    |    +--------------------------+
 |    | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
 |    +-----------------+         +--------------------------+
 |
 |           *+-----------------------------+
 +------------| CredentialManagementService |
              |         ([CIMUSER])         |
              +-----------------------------+
    (a)  FilterOfSACondition
    (b)  AcceptCredentialsFrom
    (c)  EntriesInFilterList (see [CIMNETWORK])

Jason, et al. Standards Track [Page 22] RFC 3585 IPsec Configuration Policy Model August 2003

5.1. The Class SACondition

 The class SACondition defines the conditions of rules for IKE and
 IPsec negotiations.  Conditions are associated with policy rules via
 the SAConditionInRule aggregation.  It is used as an anchor point to
 associate various types of filters with policy rules via the
 FilterOfSACondition association.  It also defines whether Credentials
 can be accepted for a particular policy rule via the
 AcceptCredentialsFrom association.
 Associated objects represent components of the condition that may or
 may not apply at a given rule evaluation.  For example, an
 AcceptCredentialsFrom evaluation is only performed when a credential
 is available to be evaluated against the list of trusted credential
 management services.  Similarly, a PeerIDPayloadFilterEntry may only
 be evaluated when an IDPayload value is available to compare with the
 filter.  Condition components that do not have corresponding values
 with which to evaluate are evaluated as TRUE unless the protocol has
 completed without providing the required information.
 The class definition for SACondition is as follows:
    NAME         SACondition
    DESCRIPTION  Defines the preconditions for IKE and IPsec
                 negotiations.
    DERIVED FROM PolicyCondition (see [PCIM])
    ABSTRACT     FALSE
    PROPERTIES   PolicyConditionName (from PolicyCondition)

5.2. The Class IPHeadersFilter

 The class IPHeadersFilter is defined in [PCIME] with the following
 note:
 1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
    matches traffic in both directions of the same flows which is
    quite typical for SPD entries for ingress and egress traffic), the
    Direction property of the FilterList SHOULD be set to "Mirrored".

5.3. The Class CredentialFilterEntry

 The class CredentialFilterEntry defines an equivalence class that
 match credentials of IKE peers.  Each CredentialFilterEntry includes
 a MatchFieldName that is interpreted according to the
 CredentialManagementService(s) associated with the SACondition
 (AcceptCredentialsFrom).

Jason, et al. Standards Track [Page 23] RFC 3585 IPsec Configuration Policy Model August 2003

 These credentials can be X.509 certificates, Kerberos tickets, or
 other types of credentials obtained during the Phase 1 exchange.
 Note: this filter entry will probably be checked while the IKE
 negotiation takes place.  If the check is a failure, then the IKE
 negotiation MUST be stopped, and the result of the IKEAction which
 triggered this negotiation is a failure.
 The class definition for CredentialFilterEntry is as follows:
    NAME         CredentialFilterEntry
    DESCRIPTION  Specifies a match filter based on the IKE
                 credentials.
    DERIVED FROM FilterEntryBase (see [CIMNETWORK])
    ABSTRACT     FALSE
    PROPERTIES   Name (from FilterEntryBase)
                 IsNegated (from FilterEntryBase)
                 MatchFieldName
                 MatchFieldValue
                 CredentialType

5.3.1. The Property MatchFieldName

 The property MatchFieldName specifies the sub-part of the credential
 to match against MatchFieldValue.  The property is defined as
 follows:
    NAME         MatchFieldName
    DESCRIPTION  Specifies which sub-part of the credential to match.
    SYNTAX       string
    VALUE        This is the string representation of a X.509
                 certificate attribute, e.g.:
                 - "serialNumber"
                 - "signatureAlgorithm"
                 - "issuerName"
                 - "subjectName"
                 - "subjectAltName"
                 - ...

5.3.2. The Property MatchFieldValue

 The property MatchFieldValue specifies the value to compare with the
 MatchFieldName in a credential to determine if the credential matches
 this filter entry.  The property is defined as follows:
    NAME         MatchFieldValue
    DESCRIPTION  Specifies the value to be matched by the
                 MatchFieldName.

Jason, et al. Standards Track [Page 24] RFC 3585 IPsec Configuration Policy Model August 2003

    SYNTAX       string
    VALUE        NB: If the CredentialFilterEntry corresponds to a
                 DistinguishedName, this value in the CIM class is
                 represented by an ordinary string value.  However, an
                 implementation must convert this string to a DER-
                 encoded string before matching against the values
                 extracted from credentials at runtime.
 A wildcard mechanism may be used for MatchFieldNames that contain
 character strings.  The MatchFieldValue may contain a wildcard
 character, '*', in the pattern match specification.  For example, if
 the MatchFieldName is "subjectName", then a MatchFieldValue of
 "cn=*,ou=engineering,o=foo,c=be" will successfully match a
 certificate whose subject attribute is "cn=Jane
 Doe,ou=engineering,o=foo,c=be".  The wildcard character can be used
 to represent 0 or more characters as would be displayed to the user
 (i.e., a wildcard pattern match operates on displayable character
 boundaries).

5.3.3. The Property CredentialType

 The property CredentialType specifies the particular type of
 credential that is being matched.  The property is defined as
 follows:
    NAME         CredentialType
    DESCRIPTION  Defines the type of IKE credentials.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - X.509 Certificate
                 2 - Kerberos Ticket

5.4. The Class IPSOFilterEntry

 The class IPSOFilterEntry is used to match traffic based on the IP
 Security Options [IPSO] header values (ClassificationLevel and
 ProtectionAuthority) as defined in RFC 1108.  This type of filter
 entry is used to adjust the IPsec encryption level according to the
 IPSO classification of the traffic (e.g., secret, confidential,
 restricted, etc.)  The class definition for IPSOFilterEntry is as
 follows:
    NAME         IPSOFilterEntry
    DESCRIPTION  Specifies the a match filter based on IP Security
                 Options.
    DERIVED FROM FilterEntryBase (see [CIMNETWORK])
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 25] RFC 3585 IPsec Configuration Policy Model August 2003

    PROPERTIES   Name (from FilterEntryBase)
                 IsNegated (from FilterEntryBase)
                 MatchConditionType
                 MatchConditionValue

5.4.1. The Property MatchConditionType

 The property MatchConditionType specifies the IPSO header field that
 will be matched (e.g., traffic classification level or protection
 authority).  The property is defined as follows:
    NAME         MatchConditionType
    DESCRIPTION  Specifies the IPSO header field to be matched.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - ClassificationLevel
                 2 - ProtectionAuthority

5.4.2. The Property MatchConditionValue

 The property MatchConditionValue specifies the value of the IPSO
 header field to be matched against.  The property is defined as
 follows:
    NAME         MatchConditionValue
    DESCRIPTION  Specifies the value of the IPSO header field to be
                 matched against.
    SYNTAX       unsigned 16-bit integer
    VALUE        The values MUST be one of values listed in RFC 1108
                 (or any further IANA Assigned Numbers document).
                 Some examples for ClassificationLevel are:
                 61 - TopSecret
                 90 - Secret
                 150 - Confidential
                 171 - Unclassified
                 For ProtectionAuthority, some examples are:
                 0 - GENSER
                 1 - SIOP-ESI
                 2 - SCI
                 3 - NSA
                 4 - DOE

5.5. The Class PeerIDPayloadFilterEntry

 The class PeerIDPayloadFilterEntry defines filters used to match ID
 payload values from the IKE protocol exchange.
 PeerIDPayloadFilterEntry permits the specification of certain ID
 payload values such as "*@example.com" or "192.0.2.0/24".

Jason, et al. Standards Track [Page 26] RFC 3585 IPsec Configuration Policy Model August 2003

 Obviously this filter applies only to IKERules when acting as a
 responder.  Moreover, this filter can be applied immediately in the
 case of aggressive mode but its application is to be delayed in the
 case of main mode.  The class definition for PeerIDPayloadFilterEntry
 is as follows:
    NAME         PeerIDPayloadFilterEntry
    DESCRIPTION  Specifies a match filter based on IKE identity.
    DERIVED FROM FilterEntryBase (see [CIMNETWORK])
    ABSTRACT     FALSE
    PROPERTIES   Name (from FilterEntryBase)
                 IsNegated (from FilterEntryBase)
                 MatchIdentityType
                 MatchIdentityValue

5.5.1. The Property MatchIdentityType

 The property MatchIdentityType specifies the type of identity
 provided by the peer in the ID payload.  The property is defined as
 follows:
    NAME         MatchIdentityType
    DESCRIPTION  Specifies the ID payload type.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [DOI] for valid values.
 5.5.2. The Property MatchIdentityValue
 The property MatchIdentityValue specifies the filter value for
 comparison with the ID payload, e.g., "*@example.com".  The property
 is defined as follows:
    NAME         MatchIdentityValue
    DESCRIPTION  Specifies the ID payload value.
    SYNTAX       string
    VALUE        NB: The syntax may need to be converted for
                 comparison.  If the PeerIDPayloadFilterEntry type is
                 a DistinguishedName, the name in the
                 MatchIdentityValue property is represented by an
                 ordinary string value, but this value must be
                 converted into a DER-encoded string before matching
                 against the values extracted from IKE ID payloads at
                 runtime.  The same applies to IPv4 & IPv6 addresses.

Jason, et al. Standards Track [Page 27] RFC 3585 IPsec Configuration Policy Model August 2003

 Different wildcard mechanisms can be used depending on the ID
 payload:
  1. a MatchIdentityValue of "*@example.com" will match a user FQDN ID

payload of "JDOE@EXAMPLE.COM".

  1. a MatchIdentityValue of "*.example.com" will match a FQDN ID

payload of "WWW.EXAMPLE.COM".

  1. a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will

match a DER DN ID payload of "cn=John

    Doe,ou=engineering,o=company,c=us".
  1. a MatchIdentityValue of "193.190.125.0/24" will match an IPv4

address ID payload of 193.190.125.10.

  1. a MatchIdentityValue of "193.190.125.*" will also match an IPv4

address ID payload of 193.190.125.10.

 The above wildcard mechanisms MUST be supported for all ID payloads
 supported by the local IKE entity.  The character '*' replaces 0 or
 multiple instances of any character as restricted by the type
 specified by MatchIdentityType.

5.6. The Association Class FilterOfSACondition

 The class FilterOfSACondition associates an SACondition with the
 filter specifications (FilterList) that make up the condition.  The
 class definition for FilterOfSACondition is as follows:
    NAME         FilterOfSACondition
    DESCRIPTION  Associates a condition with the filter list that
                 makes up the individual condition elements.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref FilterList[1..1]]
                 Dependent [ref SACondition[0..n]]

5.6.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a FilterList instance.  The [1..1] cardinality
 indicates that an SACondition instance MUST be associated with one
 and only one FilterList instance.

Jason, et al. Standards Track [Page 28] RFC 3585 IPsec Configuration Policy Model August 2003

5.6.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an SACondition instance.  The [0..n] cardinality
 indicates that a FilterList instance may be associated with zero or
 more SACondition instances.

5.7. The Association Class AcceptCredentialFrom

 The class AcceptCredentialFrom specifies which credential management
 services (e.g., a CertificateAuthority or a Kerberos service) are to
 be trusted to certify peer credentials.  This is used to assure that
 the credential being matched in the CredentialFilterEntry is a valid
 credential that has been supplied by an approved
 CredentialManagementService.  If a CredentialManagementService is
 specified and a corresponding CredentialFilterEntry is used, but the
 credential supplied by the peer is not certified by that
 CredentialManagementService (or one of the
 CredentialManagementServices in its trust hierarchy), the
 CredentialFilterEntry is deemed not to match.  If a credential is
 certified by a CredentialManagementService in the
 AcceptCredentialsFrom list of services, but there is no
 CredentialFilterEntry, this is considered equivalent to a
 CredentialFilterEntry that matches all credentials from those
 services.
 The class definition for AcceptCredentialFrom is as follows:
    NAME         AcceptCredentialFrom
    DESCRIPTION  Associates a condition with the credential management
                 services to be trusted.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref CredentialManagementService[0..n]]
                 Dependent [ref SACondition[0..n]]

5.7.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a CredentialManagementService instance.  The
 [0..n] cardinality indicates that an SACondition instance may be
 associated with zero or more CredentialManagementService instances.

Jason, et al. Standards Track [Page 29] RFC 3585 IPsec Configuration Policy Model August 2003

5.7.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a SACondition instance.  The [0..n] cardinality indicates
 that a CredentialManagementService instance may be associated with
 zero or more SACondition instances.

6. Action Classes

 The action classes are used to model the different actions an IPsec
 device may take when the evaluation of the associated condition
 results in a match.

Jason, et al. Standards Track [Page 30] RFC 3585 IPsec Configuration Policy Model August 2003

                              +----------+
                              | SAAction |
                              +----------+
                                   ^
                                   |
                       +-----------+--------------+
                       |                          |
                       |               +---------------------+
                       |               | SaNegotiationAction |
                       |               +---------------------+
                       |                          ^
                       |                          |
               +----------------+      +----------------------+*
               | SAStaticAction |      | IKENegotiationAction |o----+
               +----------------+      +----------------------+     |
                             ^                     ^                |
                             |                     |                |
                             |         +-----------+-------+        |
                             |         |                   |        |
     +-------------------+   |   +-------------+     +-----------+  |
     | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
     +-------------------+   |   +-------------+     +-----------+  |
                             |       ^                              |
    +--------------------+   |       |    +----------------------+  |
    | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
    +--------------------+   |       |    +----------------------+  |
                             |       |                              |
       +-----------------+   |       |    +-------------------+     |
       | IKERejectAction |---+       +----| IPsecTunnelAction |     |
       +-----------------+   |            +-------------------+     |
                             |                     *|               |
                             |       +--------------+               |
                             |       |                              |
 +-----------------------+   |       |       +--------------+n      |
 | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+
 +-----------------------+           |       +--------------+   (b)
    *|    ^                          |
     |    |                          |      *+-------------+
     |    |                          +-------| PeerGateway |
     |    |                                  +-------------+
     |    |  +-----------------------------+   |0..1  *w|
     |    +--| PreconfiguredTransportAction|   |        |(c)
     |    |  +-----------------------------+   |       1|
     |    |                                    |  +--------------+
     |    |  +---------------------------+ *   |  |    System    |
     |    +--| PreconfiguredTunnelAction |-----+  |  ([CIMCORE]) |
     |       +---------------------------+  (e)   +--------------+
     |

Jason, et al. Standards Track [Page 31] RFC 3585 IPsec Configuration Policy Model August 2003

     |   2..6+---------------+
     +-------| [SATransform] |
       (d)   +---------------+
    (a)  PeerGatewayForTunnel
    (b)  ContainedProposal
    (c)  HostedPeerGatewayInformation
    (d)  TransformOfPreconfiguredAction
    (e)  PeerGatewayForPreconfiguredTunnel

6.1. The Class SAAction

 The class SAAction is abstract and serves as the base class for IKE
 and IPsec actions.  It is used for aggregating different types of
 actions to IKE and IPsec rules.  The class definition for SAAction is
 as follows:
    NAME         SAAction
    DESCRIPTION  The base class for IKE and IPsec actions.
    DERIVED FROM PolicyAction (see [PCIM])
    ABSTRACT     TRUE
    PROPERTIES   PolicyActionName (from PolicyAction)
                 DoActionLogging
                 DoPacketLogging

6.1.1. The Property DoActionLogging

 The property DoActionLogging specifies whether a log message is to be
 generated when the action is performed.  This applies for
 SANegotiationActions with the meaning of logging a message when the
 negotiation is attempted (with the success or failure result).  This
 also applies for SAStaticAction only for PreconfiguredSAAction with
 the meaning of logging a message when the preconfigured SA is
 actually installed in the SADB.  The property is defined as follows:
    NAME         DoActionLogging
    DESCRIPTION  Specifies the whether to log when the action is
                 performed.
    SYNTAX       boolean
    VALUE        true - a log message is to be generated when action
                 is performed.
                 false - no log message is to be generated when action
                 is performed.

Jason, et al. Standards Track [Page 32] RFC 3585 IPsec Configuration Policy Model August 2003

6.1.2. The Property DoPacketLogging

 The property DoPacketLogging specifies whether a log message is to be
 generated when the resulting security association is used to process
 the packet.  If the SANegotiationAction successfully executes and
 results in the creation of one or several security associations, or
 if the PreconfiguredSAAction executes, the value of DoPacketLogging
 SHOULD be propagated to an optional field of SADB.  This optional
 field should be used to decide whether a log message is to be
 generated when the SA is used to process a packet.  For
 SAStaticActions, a log message is to be generated when the
 IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are
 executed.  The property is defined as follows:
    NAME         DoPacketLogging
    DESCRIPTION  Specifies whether to log when the resulting
                 security association is used to process the packet.
    SYNTAX       boolean
    VALUE        true - a log message is to be generated when the
                 resulting security association is used to process the
                 packet.
                 false - no log message is to be generated.

6.2. The Class SAStaticAction

 The class SAStaticAction is abstract and serves as the base class for
 IKE and IPsec actions that do not require any negotiation.  The class
 definition for SAStaticAction is as follows:
    NAME         SAStaticAction
    DESCRIPTION  The base class for IKE and IPsec actions that do not
                 require any negotiation.
    DERIVED FROM SAAction
    ABSTRACT     TRUE
    PROPERTIES   LifetimeSeconds

6.2.1. The Property LifetimeSeconds

 The property LifetimeSeconds specifies how long the security
 association derived from this action should be used.  The property is
 defined as follows:
    NAME         LifetimeSeconds
    DESCRIPTION  Specifies the amount of time (in seconds) that a
                 security association derived from this action should
                 be used.
    SYNTAX       unsigned 64-bit integer

Jason, et al. Standards Track [Page 33] RFC 3585 IPsec Configuration Policy Model August 2003

    VALUE        A value of zero indicates that there is not a
                 lifetime associated with this action (i.e., infinite
                 lifetime).  A non-zero value is typically used in
                 conjunction with alternate SAActions performed when
                 there is a negotiation failure of some sort.
 Note: if the referenced SAStaticAction object is a
 PreconfiguredSAAction associated to several SATransforms, then the
 actual lifetime of the preconfigured SA will be the lesser of the
 value of this LifetimeSeconds property and of the value of the
 MaxLifetimeSeconds property of the associated SATransform.  If the
 value of this LifetimeSeconds property is zero, then there will be no
 lifetime associated to this SA.
 Note: while some SA negotiation protocols [IKE] can negotiate the
 lifetime as an arbitrary length field, the authors have assumed that
 a 64-bit integer will be sufficient.
 It is expected that most SAStaticAction instances will have their
 LifetimeSeconds properties set to zero (meaning no expiration of the
 resulting SA).

6.3. The Class IPsecBypassAction

 The class IPsecBypassAction is used when packets are allowed to be
 processed without applying IPsec encapsulation to them.  This is the
 same as stating that packets are allowed to flow in the clear.  The
 class definition for IPsecBypassAction is as follows:
    NAME         IPsecBypassAction
    DESCRIPTION  Specifies that packets are to be allowed to pass in
                 the clear.
    DERIVED FROM SAStaticAction
    ABSTRACT     FALSE

6.4. The Class IPsecDiscardAction

 The class IPsecDiscardAction is used when packets are to be
 discarded.  This is the same as stating that packets are to be
 denied.  The class definition for IPsecDiscardAction is as follows:
    NAME         IPsecDiscardAction
    DESCRIPTION  Specifies that packets are to be discarded.
    DERIVED FROM SAStaticAction
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 34] RFC 3585 IPsec Configuration Policy Model August 2003

6.5. The Class IKERejectAction

 The class IKERejectAction is used to prevent attempting an IKE
 negotiation with the peer(s).  The main use of this class is to
 prevent some denial of service attacks when acting as IKE responder.
 It goes beyond a plain discard of UDP/500 IKE packets because the
 SACondition can be based on specific PeerIDPayloadFilterEntry (when
 aggressive mode is used).  The class definition for IKERejectAction
 is as follows:
    NAME         IKERejectAction
    DESCRIPTION  Specifies that an IKE negotiation should not even be
                 attempted or continued.
    DERIVED FROM SAStaticAction
    ABSTRACT     FALSE

6.6. The Class PreconfiguredSAAction

 The class PreconfiguredSAAction is used to create a security
 association using preconfigured, hard-wired algorithms and keys.
 Notes:
  1. the SPI for a PreconfiguredSAAction is contained in the

association, TransformOfPreconfiguredAction;

  1. the session key (if applicable) is contained in an instance of the

class SharedSecret (see [CIMUSER]). The session key is stored in

    the property Secret, the property protocol contains either "ESP-
    encrypt", "ESP-auth" or "AH", the property algorithm contains the
    algorithm used to protect the secret (can be "PLAINTEXT" if the
    IPsec entity has no secret storage), the value of property
    RemoteID is the concatenation of the remote IPsec peer IP address
    in dotted decimal, of the character "/", of "IN" (respectively
    "OUT") for inbound SA (respectively outbound SA), of the character
    "/", and of the hexadecimal representation of the SPI.
 Although the class is concrete, it MUST not be instantiated.  The
 class definition for PreconfiguredSAAction is as follows:
    NAME         PreconfiguredSAAction
    DESCRIPTION  Specifies preconfigured algorithm and keying
                 information for creation of a security association.
    DERIVED FROM SAStaticAction
    ABSTRACT     TRUE
    PROPERTIES   LifetimeKilobytes

Jason, et al. Standards Track [Page 35] RFC 3585 IPsec Configuration Policy Model August 2003

6.6.1. The Property LifetimeKilobytes

 The property LifetimeKilobytes specifies a traffic limit in kilobytes
 that can be consumed before the SA is deleted.  The property is
 defined as follows:
    NAME         LifetimeKilobytes
    DESCRIPTION  Specifies the SA lifetime in kilobytes.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that there is not a
                 lifetime associated with this action (i.e., infinite
                 lifetime).  A non-zero value is used to indicate that
                 after this number of kilobytes has been consumed the
                 SA must be deleted from the SADB.
 Note: the actual lifetime of the preconfigured SA will be the lesser
 of the value of this LifetimeKilobytes property and of the value of
 the MaxLifetimeSeconds property of the associated SATransform.  If
 the value of this LifetimeKilobytes property is zero, then there will
 be no lifetime associated with this action.
 Note: while some SA negotiation protocols [IKE] can negotiate the
 lifetime as an arbitrary length field, the authors have assumed that
 a 64-bit integer will be sufficient.
 It is expected that most PreconfiguredSAAction instances will have
 their LifetimeKilobyte properties set to zero (meaning no expiration
 of the resulting SA).

6.7. The Class PreconfiguredTransportAction

 The class PreconfiguredTransportAction is used to create an IPsec
 transport-mode security association using preconfigured, hard-wired
 algorithms and keys.  The class definition for
 PreconfiguredTransportAction is as follows:
    NAME         PreconfiguredTransportAction
    DESCRIPTION  Specifies preconfigured algorithm and keying
                 information for creation of an IPsec transport
                 security association.
    DERIVED FROM PreconfiguredSAAction
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 36] RFC 3585 IPsec Configuration Policy Model August 2003

6.8. The Class PreconfiguredTunnelAction

 The class PreconfiguredTunnelAction is used to create an IPsec
 tunnel-mode security association using preconfigured, hard-wired
 algorithms and keys.  The class definition for PreconfiguredSAAction
 is as follows:
    NAME         PreconfiguredTunnelAction
    DESCRIPTION  Specifies preconfigured algorithm and keying
                 information for creation of an IPsec tunnel-mode
                 security association.
    DERIVED FROM PreconfiguredSAAction
    ABSTRACT     FALSE
    PROPERTIES   DFHandling

6.8.1. The Property DFHandling

 The property DFHandling specifies how the Don't Fragment (DF) bit of
 the internal IP header is to be handled during IPsec processing.  The
 property is defined as follows:
    NAME         DFHandling
    DESCRIPTION  Specifies the processing of the DF bit.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - Copy the DF bit from the internal IP header to
                 the external IP header.
                 2 - Set the DF bit of the external IP header to 1.
                 3 - Clear the DF bit of the external IP header to 0.

6.9. The Class SANegotiationAction

 The class SANegotiationAction specifies an action requesting security
 policy negotiation.
 This is an abstract class.  Currently, only one security policy
 negotiation protocol action is subclassed from SANegotiationAction:
 the IKENegotiationAction class.  It is nevertheless expected that
 other security policy negotiation protocols will exist and the
 negotiation actions of those new protocols would be modeled as a
 subclass of SANegotiationAction.
    NAME         SANegotiationAction
    DESCRIPTION  Specifies a negotiation action.
    DERIVED FROM SAAction
    ABSTRACT     TRUE

Jason, et al. Standards Track [Page 37] RFC 3585 IPsec Configuration Policy Model August 2003

6.10. The Class IKENegotiationAction

 The class IKENegotiationAction is abstract and serves as the base
 class for IKE and IPsec actions that result in an IKE negotiation.
 The class definition for IKENegotiationAction is as follows:
    NAME         IKENegotiationAction
    DESCRIPTION  A base class for IKE and IPsec actions that specifies
                 the parameters that are common for IKE phase 1 and
                 IKE phase 2 IPsec DOI negotiations.
    DERIVED FROM SANegotiationAction
    ABSTRACT     TRUE
    PROPERTIES   MinLifetimeSeconds
                 MinLifetimeKilobytes
                 IdleDurationSeconds

6.10.1. The Property MinLifetimeSeconds

 The property MinLifetimeSeconds specifies the minimum seconds in a
 lifetime that will be accepted from the peer.  MinLifetimeSeconds is
 used to prevent certain denial of service attacks where the peer
 requests an arbitrarily low lifetime value, causing renegotiations
 with expensive Diffie-Hellman operations.  The property is defined as
 follows:
    NAME         MinLifetimeSeconds
    DESCRIPTION  Specifies the minimum seconds acceptable in a
                 lifetime.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that there is no minimum
                 value.  A non-zero value specifies the minimum
                 seconds lifetime.
 Note: while IKE can negotiate the lifetime as an arbitrary length
 field, the authors have assumed that a 64-bit integer will be
 sufficient.

6.10.2. The Property MinLifetimeKilobytes

 The property MinLifetimeKilobytes specifies the minimum kilobytes of
 a lifetime that will be accepted from the peer.  MinLifetimeKilobytes
 is used to prevent certain denial of service attacks, where the peer
 requests an arbitrarily low lifetime value, causing renegotiations
 with correspondingly expensive Diffie-Hellman operations.  Note that
 there has been considerable debate regarding the usefulness of
 applying kilobyte lifetimes to IKE phase 1 security associations, so
 it is likely that this property will only apply to the sub-class
 IPsecAction.  The property is defined as follows:

Jason, et al. Standards Track [Page 38] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         MinLifetimeKilobytes
    DESCRIPTION  Specifies the minimum kilobytes acceptable in a
                 lifetime.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that there is no minimum
                 value.  A non-zero value specifies the minimum
                 kilobytes lifetime.
 Note: While IKE can negotiate the lifetime as an arbitrary length
 field, the authors have assumed that a 64-bit integer will be
 sufficient.

6.10.3. The Property IdleDurationSeconds

 The property IdleDurationSeconds specifies how many seconds a
 security association may remain idle (i.e., no traffic protected
 using the security association) before it is deleted.  The property
 is defined as follows:
    NAME         IdleDurationSeconds
    DESCRIPTION  Specifies how long, in seconds, a security
                 association may remain unused before it is deleted.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that idle detection should
                 not be used for the security association (only the
                 seconds and kilobyte lifetimes will be used).  Any
                 non-zero value indicates the number of seconds the
                 security association may remain unused.

6.11. The Class IPsecAction

 The class IPsecAction serves as the base class for IPsec transport
 and tunnel actions.  It specifies the parameters used for an IKE
 phase 2 IPsec DOI negotiation.  The class definition for IPsecAction
 is as follows:
    NAME         IPsecAction
    DESCRIPTION  A base class for IPsec transport and tunnel actions
                 that specifies the parameters for IKE phase 2 IPsec
                 DOI negotiations.
    DERIVED FROM IKENegotiationAction
    ABSTRACT     TRUE
    PROPERTIES   UsePFS
                 UseIKEGroup
                 GroupId
                 Granularity
                 VendorID

Jason, et al. Standards Track [Page 39] RFC 3585 IPsec Configuration Policy Model August 2003

6.11.1. The Property UsePFS

 The property UsePFS specifies whether or not perfect forward secrecy
 should be used when refreshing keys.  The property is defined as
 follows:
    NAME         UsePFS
    DESCRIPTION  Specifies the whether or not to use PFS when
                 refreshing keys.
    SYNTAX       boolean
    VALUE        A value of true indicates that PFS should be used.  A
                 value of false indicates that PFS should not be used.

6.11.2. The Property UseIKEGroup

 The property UseIKEGroup specifies whether or not phase 2 should use
 the same key exchange group as was used in phase 1.  UseIKEGroup is
 ignored if UsePFS is false.  The property is defined as follows:
    NAME         UseIKEGroup
    DESCRIPTION  Specifies whether or not to use the same GroupId for
                 phase 2 as was used in phase 1.  If UsePFS is false,
                 then UseIKEGroup is ignored.
    SYNTAX       boolean
    VALUE        A value of true indicates that the phase 2 GroupId
                 should be the same as phase 1.  A value of false
                 indicates that the property GroupId will contain the
                 key exchange group to use for phase 2.

6.11.3. The Property GroupId

 The property GroupId specifies the key exchange group to use for
 phase 2.  GroupId is ignored if (1) the property UsePFS is false, or
 (2) the property UsePFS is true and the property UseIKEGroup is true.
 If the GroupID number is from the vendor-specific range (32768-
 65535), the property VendorID qualifies the group number.  The
 property is defined as follows:
    NAME         GroupId
    DESCRIPTION  Specifies the key exchange group to use for phase 2
                 when the property UsePFS is true and the property
                 UseIKEGroup is false.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [IKE] for valid values.

Jason, et al. Standards Track [Page 40] RFC 3585 IPsec Configuration Policy Model August 2003

6.11.4. The Property Granularity

 The property Granularity specifies how the selector for the security
 association should be derived from the traffic that triggered the
 negotiation.  The property is defined as follows:
    NAME         Granularity
    DESCRIPTION  Specifies how the proposed selector for the
                 security association will be created.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - subnet: the source and destination subnet masks
                 of the filter entry are used.
                 2 - address: only the source and destination IP
                 addresses of the triggering packet are used.
                 3 - protocol: the source and destination IP addresses
                 and the IP protocol of the triggering packet are
                 used.
                 4 - port: the source and destination IP addresses and
                 the IP protocol and the source and destination layer
                 4 ports of the triggering packet are used.

6.11.5. The Property VendorID

 The property VendorID is used together with the property GroupID
 (when it is in the vendor-specific range) to identify the key
 exchange group.  VendorID is ignored unless UsePFS is true and
 UseIKEGroup is false and GroupID is in the vendor-specific range
 (32768-65535).  The property is defined as follows:
    NAME         VendorID
    DESCRIPTION  Specifies the IKE Vendor ID.
    SYNTAX       string

6.12. The Class IPsecTransportAction

 The class IPsecTransportAction is a subclass of IPsecAction that is
 used to specify use of an IPsec transport-mode security association.
 The class definition for IPsecTransportAction is as follows:
    NAME         IPsecTransportAction
    DESCRIPTION  Specifies that an IPsec transport-mode security
                 association should be negotiated.
    DERIVED FROM IPsecAction
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 41] RFC 3585 IPsec Configuration Policy Model August 2003

6.13. The Class IPsecTunnelAction

 The class IPsecTunnelAction is a subclass of IPsecAction that is used
 to specify use of an IPsec tunnel-mode security association.  The
 class definition for IPsecTunnelAction is as follows:
    NAME         IPsecTunnelAction
    DESCRIPTION  Specifies that an IPsec tunnel-mode security
                 association should be negotiated.
    DERIVED FROM IPsecAction
    ABSTRACT     FALSE
    PROPERTIES   DFHandling

6.13.1. The Property DFHandling

 The property DFHandling specifies how the tunnel should manage the
 Don't Fragment (DF) bit.  The property is defined as follows:
    NAME         DFHandling
    DESCRIPTION  Specifies how to process the DF bit.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - Copy the DF bit from the internal IP header to
                 the external IP header.
                 2 - Set the DF bit of the external IP header to 1.
                 3 - Clear the DF bit of the external IP header to 0.

6.14. The Class IKEAction

 The class IKEAction specifies the parameters that are to be used for
 IKE phase 1 negotiation.  The class definition for IKEAction is as
 follows:
    NAME         IKEAction
    DESCRIPTION  Specifies the IKE phase 1 negotiation parameters.
    DERIVED FROM IKENegotiationAction
    ABSTRACT     FALSE
    PROPERTIES   ExchangeMode
                 UseIKEIdentityType
                 VendorID
                 AggressiveModeGroupId

Jason, et al. Standards Track [Page 42] RFC 3585 IPsec Configuration Policy Model August 2003

6.14.1. The Property ExchangeMode

 The property ExchangeMode specifies which IKE mode should be used for
 IKE phase 1 negotiations.  The property is defined as follows:
    NAME         ExchangeMode
    DESCRIPTION  Specifies the IKE negotiation mode for phase 1.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - base mode
                 2 - main mode
                 4 - aggressive mode

6.14.2. The Property UseIKEIdentityType

 The property UseIKEIdentityType specifies what IKE identity type
 should be used when negotiating with the peer.  This information is
 used in conjunction with the IKE identities available on the system
 and the IdentityContexts of the matching IKERule.  The property is
 defined as follows:
    NAME         UseIKEIdentityType
    DESCRIPTION  Specifies the IKE identity to use during negotiation.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [DOI] for valid values.

6.14.3. The Property VendorID

 The property VendorID specifies the value to be used in the Vendor ID
 payload.  The property is defined as follows:
    NAME         VendorID
    DESCRIPTION  Vendor ID Payload.
    SYNTAX       string
    VALUE        A value of NULL means that Vendor ID payload will be
                 neither generated nor accepted.  A non-NULL value
                 means that a Vendor ID payload will be generated
                 (when acting as an initiator) or is expected (when
                 acting as a responder).

6.14.4. The Property AggressiveModeGroupId

 The property AggressiveModeGroupId specifies which group ID is to be
 used in the first packets of the phase 1 negotiation.  This property
 is ignored unless the property ExchangeMode is set to 4 (aggressive
 mode).  If the AggressiveModeGroupID number is from the vendor-
 specific range (32768-65535), the property VendorID qualifies the
 group number.  The property is defined as follows:

Jason, et al. Standards Track [Page 43] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         AggressiveModeGroupId
    DESCRIPTION  Specifies the group ID to be used for aggressive
                 mode.
    SYNTAX       unsigned 16-bit integer

6.15. The Class PeerGateway

 The class PeerGateway specifies the security gateway with which the
 IKE services negotiates.  The class definition for PeerGateway is as
 follows:
    NAME         PeerGateway
    DESCRIPTION  Specifies the security gateway with which to
                 negotiate.
    DERIVED FROM LogicalElement (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Name
                 PeerIdentityType
                 PeerIdentity
 Note: The class PeerIdentityEntry contains more information about the
 peer (namely its IP address).

6.15.1. The Property Name

 The property Name specifies a user-friendly name for this security
 gateway.  The property is defined as follows:
    NAME         Name
    DESCRIPTION  Specifies a user-friendly name for this security
                 gateway.
    SYNTAX       string

6.15.2. The Property PeerIdentityType

 The property PeerIdentityType specifies the IKE identity type of the
 security gateway.  The property is defined as follows:
    NAME         PeerIdentityType
    DESCRIPTION  Specifies the IKE identity type of the security
                 gateway.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [DOI] for valid values.

Jason, et al. Standards Track [Page 44] RFC 3585 IPsec Configuration Policy Model August 2003

6.15.3. The Property PeerIdentity

 The property PeerIdentity specifies the IKE identity value of the
 security gateway.  Based upon the storage chosen for the task-
 specific mapping of the information model, a conversion may be needed
 from the stored representation of the PeerIdentity string to the real
 value used in the ID payload (e.g., IP address is to be converted
 from a dotted decimal string into 4 bytes).  The property is defined
 as follows:
    NAME         PeerIdentity
    DESCRIPTION  Specifies the IKE identity value of the security
                 gateway.
    SYNTAX       string

6.16. The Association Class PeerGatewayForTunnel

 The class PeerGatewayForTunnel associates IPsecTunnelActions with an
 ordered list of PeerGateways.  The class definition for
 PeerGatewayForTunnel is as follows:
    NAME         PeerGatewayForTunnel
    DESCRIPTION  Associates IPsecTunnelActions with an ordered list of
                 PeerGateways.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                 Dependent [ref IPsecTunnelAction[0..n]]
                 SequenceNumber

6.16.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a PeerGateway instance.  The [0..n]
 cardinality indicates that an IPsecTunnelAction instance may be
 associated with zero or more PeerGateway instances.
 Note: The cardinality 0 has a specific meaning:
  1. when the IKE service acts as a responder, this means that the IKE

service will accept phase 1 negotiation with any other security

    gateway;
  1. when the IKE service acts as an initiator, this means that the IKE

service will use the destination IP address (of the IP packets

    which triggered the SARule) as the IP address of the peer IKE
    entity.

Jason, et al. Standards Track [Page 45] RFC 3585 IPsec Configuration Policy Model August 2003

6.16.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an IPsecTunnelAction instance.  The [0..n] cardinality
 indicates that a PeerGateway instance may be associated with zero or
 more IPsecTunnelAction instances.

6.16.3. The Property SequenceNumber

 The property SequenceNumber specifies the ordering to be used when
 evaluating PeerGateway instances for a given IPsecTunnelAction.  The
 property is defined as follows:
    NAME         SequenceNumber
    DESCRIPTION  Specifies the order of evaluation for PeerGateways.
    SYNTAX       unsigned 16-bit integer
    VALUE        Lower values are evaluated first.

6.17. The Aggregation Class ContainedProposal

 The class ContainedProposal associates an ordered list of SAProposals
 with the IKENegotiationAction that aggregates it.  If the referenced
 IKENegotiationAction object is an IKEAction, then the referenced
 SAProposal object(s) must be IKEProposal(s).  If the referenced
 IKENegotiationAction object is an IPsecTransportAction or an
 IPsecTunnelAction, then the referenced SAProposal object(s) must be
 IPsecProposal(s).  The class definition for ContainedProposal is as
 follows:
     NAME         ContainedProposal
     DESCRIPTION  Associates an ordered list of SAProposals with an
                  IKENegotiationAction.
     DERIVED FROM PolicyComponent (see [PCIM])
     ABSTRACT     FALSE
     PROPERTIES   GroupComponent[ref IKENegotiationAction[0..n]]
                  PartComponent[ref SAProposal[1..n]]
                  SequenceNumber

6.17.1. The Reference GroupComponent

  1. The property GroupComponent is inherited from PolicyComponent and

is overridden to refer to an IKENegotiationAction instance. The

    [0..n] cardinality indicates that an SAProposal instance may be
    associated with zero or more IKENegotiationAction instances.

Jason, et al. Standards Track [Page 46] RFC 3585 IPsec Configuration Policy Model August 2003

6.17.2. The Reference PartComponent

 The property PartComponent is inherited from PolicyComponent and is
 overridden to refer to an SAProposal instance.  The [1..n]
 cardinality indicates that an IKENegotiationAction instance MUST be
 associated with at least one SAProposal instance.

6.17.3. The Property SequenceNumber

 The property SequenceNumber specifies the order of preference for the
 SAProposals.  The property is defined as follows:
    NAME         SequenceNumber
    DESCRIPTION  Specifies the preference order for the SAProposals.
    SYNTAX       unsigned 16-bit integer
    VALUE        Lower-valued proposals are preferred over proposals
                 with higher values.  For ContainedProposals that
                 reference the same IKENegotiationAction,
                 SequenceNumber values must be unique.

6.18. The Association Class HostedPeerGatewayInformation

 The class HostedPeerGatewayInformation weakly associates a
 PeerGateway with a System.  The class definition for
 HostedPeerGatewayInformation is as follows:
    NAME         HostedPeerGatewayInformation
    DESCRIPTION  Weakly associates a PeerGateway with a System.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref System[1..1]]
                 Dependent [ref PeerGateway[0..n] [weak]]

6.18.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a System instance.  The [1..1] cardinality
 indicates that a PeerGateway instance MUST be associated with one and
 only one System instance.

6.18.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a PeerGateway instance.  The [0..n] cardinality indicates
 that a System instance may be associated with zero or more
 PeerGateway instances.

Jason, et al. Standards Track [Page 47] RFC 3585 IPsec Configuration Policy Model August 2003

6.19. The Association Class TransformOfPreconfiguredAction

 The class TransformOfPreconfiguredAction associates a
 PreconfiguredSAAction with two, four or six SATransforms that will be
 applied to the inbound and outbound traffic.  The order of
 application of the SATransforms is implicitly defined in [IPSEC].
 The class definition for TransformOfPreconfiguredAction is as
 follows:
    NAME         TransformOfPreconfiguredAction
    DESCRIPTION  Associates a PreconfiguredSAAction with from one to
                 three SATransforms.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent[ref SATransform[2..6]]
                 Dependent[ref PreconfiguredSAAction[0..n]]
                 SPI
                 Direction

6.19.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to an SATransform instance.  The [2..6]
 cardinality indicates that a PreconfiguredSAAction instance may be
 associated with two to six SATransform instances.

6.19.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a PreconfiguredSAAction instance.  The [0..n] cardinality
 indicates that a SATransform instance may be associated with zero or
 more PreconfiguredSAAction instances.

6.19.3. The Property SPI

 The property SPI specifies the SPI to be used by the pre-configured
 action for the associated transform.  The property is defined as
 follows:
    NAME         SPI
    DESCRIPTION  Specifies the SPI to be used with the SATransform.
    SYNTAX       unsigned 32-bit integer

Jason, et al. Standards Track [Page 48] RFC 3585 IPsec Configuration Policy Model August 2003

6.19.4. The Property Direction

 The property Direction specifies whether the SPI property is for
 inbound or outbound traffic.  The property is defined as follows:
    NAME         Direction
    DESCRIPTION Specifies whether the SA is for inbound or outbound
                traffic.
    SYNTAX      unsigned 8-bit integer
    VALUE       1 - this SA is for inbound traffic
                2 - this SA is for outbound traffic

6.20 The Association Class PeerGatewayForPreconfiguredTunnel

 The class PeerGatewayForPreconfiguredTunnel associates zero or one
 PeerGateways with multiple PreconfiguredTunnelActions.  The class
 definition for PeerGatewayForPreconfiguredTunnel is as follows:
    NAME         PeerGatewayForPreconfiguredTunnel
    DESCRIPTION  Associates a PeerGateway with multiple
                 PreconfiguredTunnelActions.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent[ref PeerGateway[0..1]]
                 Dependent[ref PreconfiguredTunnelAction[0..n]]

6.20.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a PeerGateway instance.  The [0..1]
 cardinality indicates that a PreconfiguredTunnelAction instance may
 be associated with one PeerGteway instance.

6.20.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a PreconfiguredTunnelAction instance.  The [0..n]
 cardinality indicates that a PeerGateway instance may be associated
 with zero or more PreconfiguredSAAction instances.

Jason, et al. Standards Track [Page 49] RFC 3585 IPsec Configuration Policy Model August 2003

7. Proposal and Transform Classes

 The proposal and transform classes model the proposal settings an
 IPsec device will use during IKE phase 1 and 2 negotiations.
                      +--------------+*w     1+--------------+
                      | [SAProposal] |--------|   System     |
                      +--------------+  (a)   | ([CIMCORE])  |
                             ^                +--------------+
                             |                        |1
                  +----------------------+            |
                  |                      |            |
           +-------------+       +---------------+    |
           | IKEProposal |       | IPsecProposal |    |
           +-------------+       +---------------+    |
                                        *o            |
                                         |(b)         |(c)
                                        n|            |
                                 +---------------+*w  |
                                 | [SATransform] |----+
                                 +---------------+
                                         ^
                                         |
        +--------------------+-----------+---------+
        |                    |                     |
 +-------------+     +--------------+     +----------------+
 | AHTransform |     | ESPTransform |     |IPCOMPTransform |
 +-------------+     +--------------+     +----------------+
    (a)  SAProposalInSystem
    (b)  ContainedTransform
    (c)  SATransformInSystem

7.1. The Abstract Class SAProposal

 The abstract class SAProposal serves as the base class for the IKE
 and IPsec proposal classes.  It specifies the parameters that are
 common to the two proposal types.  The class definition for
 SAProposal is as follows:
    NAME         SAProposal
    DESCRIPTION  Specifies the common proposal parameters for IKE and
                 IPsec security association negotiation.
    DERIVED FROM Policy ([PCIM])
    ABSTRACT     TRUE
    PROPERTIES   Name

Jason, et al. Standards Track [Page 50] RFC 3585 IPsec Configuration Policy Model August 2003

7.1.1. The Property Name

 The property Name specifies a user-friendly name for the SAProposal.
 The property is defined as follows:
    NAME         Name
    DESCRIPTION  Specifies a user-friendly name for this proposal.
    SYNTAX       string

7.2. The Class IKEProposal

 The class IKEProposal specifies the proposal parameters necessary to
 drive an IKE security association negotiation.  The class definition
 for IKEProposal is as follows:
    NAME         IKEProposal
    DESCRIPTION  Specifies the proposal parameters for IKE security
                 association negotiation.
    DERIVED FROM SAProposal
    ABSTRACT     FALSE
    PROPERTIES   CipherAlgorithm
                 HashAlgorithm
                 PRFAlgorithm
                 GroupId
                 AuthenticationMethod
                 MaxLifetimeSeconds
                 MaxLifetimeKilobytes
                 VendorID

7.2.1. The Property CipherAlgorithm

 The property CipherAlgorithm specifies the proposed phase 1 security
 association encryption algorithm.  The property is defined as
 follows:
    NAME         CipherAlgorithm
    DESCRIPTION  Specifies the proposed encryption algorithm for the
                 phase 1 security association.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [IKE] for valid values.

Jason, et al. Standards Track [Page 51] RFC 3585 IPsec Configuration Policy Model August 2003

7.2.2. The Property HashAlgorithm

 The property HashAlgorithm specifies the proposed phase 1 security
 association hash algorithm.  The property is defined as follows:
    NAME         HashAlgorithm
    DESCRIPTION  Specifies the proposed hash algorithm for the phase 1
                 security association.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [IKE] for valid values.

7.2.3. The Property PRFAlgorithm

 The property PRFAlgorithm specifies the proposed phase 1 security
 association pseudo-random function.  The property is defined as
 follows:
    NAME         PRFAlgorithm
    DESCRIPTION  Specifies the proposed pseudo-random function for the
                 phase 1 security association.
    SYNTAX       unsigned 16-bit integer
    VALUE        Currently none defined in [IKE], if [IKE, DOI] are
                 extended, then the values of [IKE, DOI] are to be
                 used for values of PRFAlgorithm.

7.2.4. The Property GroupId

 The property GroupId specifies the proposed phase 1 security
 association key exchange group.  This property is ignored for all
 aggressive mode exchanges.  If the GroupID number is from the
 vendor-specific range (32768-65535), the property VendorID qualifies
 the group number.  The property is defined as follows:
    NAME         GroupId
    DESCRIPTION  Specifies the proposed key exchange group for the
                 phase 1 security association.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [IKE] for valid values.
 Note: The value of this property is to be ignored in aggressive mode.

Jason, et al. Standards Track [Page 52] RFC 3585 IPsec Configuration Policy Model August 2003

7.2.5. The Property AuthenticationMethod

 The property AuthenticationMethod specifies the proposed phase 1
 authentication method.  The property is defined as follows:
    NAME         AuthenticationMethod
    DESCRIPTION  Specifies the proposed authentication method for the
                 phase 1 security association.
    SYNTAX       unsigned 16-bit integer
    VALUE        0 - a special value that indicates that this
                 particular proposal should be repeated once for each
                 authentication method that corresponds to the
                 credentials installed on the machine.  For example,
                 if the system has a pre-shared key and a certificate,
                 a proposal list could be constructed that includes a
                 proposal that specifies a pre-shared key and
                 proposals for any of the public-key authentication
                 methods.  Consult [IKE] for valid values.

7.2.6. The Property MaxLifetimeSeconds

 The property MaxLifetimeSeconds specifies the proposed maximum time,
 in seconds, that a security association will remain valid after its
 creation.  The property is defined as follows:
    NAME         MaxLifetimeSeconds
    DESCRIPTION  Specifies the proposed maximum time that a
                 security association will remain valid.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that the default of 8
                 hours be used.  A non-zero value indicates the
                 maximum seconds lifetime.
 Note: While IKE can negotiate the lifetime as an arbitrary length
 field, the authors have assumed that a 64-bit integer will be
 sufficient.

7.2.7. The Property MaxLifetimeKilobytes

 The property MaxLifetimeKilobytes specifies the proposed maximum
 kilobyte lifetime that a security association will remain valid after
 its creation.  The property is defined as follows:
    NAME         MaxLifetimeKilobytes
    DESCRIPTION  Specifies the proposed maximum kilobyte lifetime
                 that a security association will remain valid.
    SYNTAX       unsigned 64-bit integer

Jason, et al. Standards Track [Page 53] RFC 3585 IPsec Configuration Policy Model August 2003

    VALUE        A value of zero indicates that there should be no
                 maximum kilobyte lifetime.  A non-zero value
                 specifies the desired kilobyte lifetime.
 Note: While IKE can negotiate the lifetime as an arbitrary length
 field, the authors have assumed that a 64-bit integer will be
 sufficient.

7.2.8. The Property VendorID

 The property VendorID further qualifies the key exchange group.  The
 property is ignored unless the exchange is not in aggressive mode and
 the property GroupID is in the vendor-specific range.  The property
 is defined as follows:
    NAME         VendorID
    DESCRIPTION  Specifies the Vendor ID to further qualify the key
                 exchange group.
    SYNTAX       string

7.3. The Class IPsecProposal

 The class IPsecProposal adds no new properties, but inherits proposal
 properties from SAProposal, as well as aggregating the security
 association transforms necessary for building an IPsec proposal (see
 the aggregation class ContainedTransform).  The class definition for
 IPsecProposal is as follows:
    NAME         IPsecProposal
    DESCRIPTION  Specifies the proposal parameters for IPsec security
                 association negotiation.
    DERIVED FROM SAProposal
    ABSTRACT     FALSE

7.4. The Abstract Class SATransform

 The abstract class SATransform serves as the base class for the IPsec
 transforms that can be used to compose an IPsec proposal or to be
 used as a pre-configured action.  The class definition for
 SATransform is as follows:
    NAME         SATransform
    DESCRIPTION  Base class for the different IPsec transforms.
    ABSTRACT     TRUE
    PROPERTIES   CommonName (from Policy)
                 VendorID
                 MaxLifetimeSeconds
                 MaxLifetimeKilobytes

Jason, et al. Standards Track [Page 54] RFC 3585 IPsec Configuration Policy Model August 2003

7.4.1. The Property CommonName

 The property CommonName is inherited from Policy [PCIM] and specifies
 a user-friendly name for the SATransform.  The property is defined as
 follows:
    NAME         CommonName
    DESCRIPTION  Specifies a user-friendly name for this Policy-
                 related object.
    SYNTAX       string

7.4.2. The Property VendorID

 The property VendorID specifies the vendor ID for vendor-defined
 transforms.  The property is defined as follows:
    NAME         VendorID
    DESCRIPTION  Specifies the vendor ID for vendor-defined
                 transforms.
    SYNTAX       string
    VALUE        An empty VendorID string indicates that the transform
                 is a standard one.

7.4.3. The Property MaxLifetimeSeconds

 The property MaxLifetimeSeconds specifies the proposed maximum time,
 in seconds, that a security association will remain valid after its
 creation.  The property is defined as follows:
    NAME         MaxLifetimeSeconds
    DESCRIPTION  Specifies the proposed maximum time that a
                 security association will remain valid.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that the default of 8 hours
                 be used.  A non-zero value indicates the maximum
                 seconds lifetime.
 Note: While IKE can negotiate the lifetime as an arbitrary length
 field, the authors have assumed that a 64-bit integer will be
 sufficient.

7.4.4. The Property MaxLifetimeKilobytes

 The property MaxLifetimeKilobytes specifies the proposed maximum
 kilobyte lifetime that a security association will remain valid after
 its creation.  The property is defined as follows:

Jason, et al. Standards Track [Page 55] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         MaxLifetimeKilobytes
    DESCRIPTION  Specifies the proposed maximum kilobyte lifetime
                 that a security association will remain valid.
    SYNTAX       unsigned 64-bit integer
    VALUE        A value of zero indicates that there should be no
                 maximum kilobyte lifetime.  A non-zero value
                 specifies the desired kilobyte lifetime.
 Note: While IKE can negotiate the lifetime as an arbitrary length
 field, the authors have assumed that a 64-bit integer will be
 sufficient.

7.5. The Class AHTransform

 The class AHTransform specifies the AH algorithm to propose during
 IPsec security association negotiation.  The class definition for
 AHTransform is as follows:
    NAME         AHTransform
    DESCRIPTION  Specifies the proposed AH algorithm.
    ABSTRACT     FALSE
    PROPERTIES   AHTransformId
                 UseReplayPrevention
                 ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

 The property AHTransformId specifies the transform ID of the AH
 algorithm.  The property is defined as follows:
    NAME         AHTransformId
    DESCRIPTION  Specifies the transform ID of the AH algorithm.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

 The property UseReplayPrevention specifies whether replay prevention
 detection is to be used.  The property is defined as follows:
    NAME         UseReplayPrevention
    DESCRIPTION  Specifies whether to enable replay prevention
                 detection.
    SYNTAX       boolean
    VALUE        true - replay prevention detection is enabled.
                 false - replay prevention detection is disabled.

Jason, et al. Standards Track [Page 56] RFC 3585 IPsec Configuration Policy Model August 2003

7.5.3. The Property ReplayPreventionWindowSize

 The property ReplayPreventionWindowSize specifies, in bits, the
 length of the sliding window used by the replay prevention detection
 mechanism.  The value of this property is meaningless if
 UseReplayPrevention is false.  It is assumed that the window size
 will be power of 2.  The property is defined as follows:
    NAME         ReplayPreventionWindowSize
    DESCRIPTION  Specifies the length of the window used by the replay
                 prevention detection mechanism.
    SYNTAX       unsigned 32-bit integer

7.6. The Class ESPTransform

 The class ESPTransform specifies the ESP algorithms to propose
 during IPsec security association negotiation.  The class definition
 for ESPTransform is as follows:
    NAME         ESPTransform
    DESCRIPTION  Specifies the proposed ESP algorithms.
    ABSTRACT     FALSE
    PROPERTIES   IntegrityTransformId
                 CipherTransformId
                 CipherKeyLength
                 CipherKeyRounds
                 UseReplayPrevention
                 ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

 The property IntegrityTransformId specifies the transform ID of the
 ESP integrity algorithm.  The property is defined as follows:
    NAME         IntegrityTransformId
    DESCRIPTION  Specifies the transform ID of the ESP integrity
                 algorithm.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [DOI] for valid values.

Jason, et al. Standards Track [Page 57] RFC 3585 IPsec Configuration Policy Model August 2003

7.6.2. The Property CipherTransformId

 The property CipherTransformId specifies the transform ID of the ESP
 encryption algorithm.  The property is defined as follows:
    NAME         CipherTransformId
    DESCRIPTION  Specifies the transform ID of the ESP encryption
                 algorithm.
    SYNTAX       unsigned 16-bit integer
    VALUE        Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

 The property CipherKeyLength specifies, in bits, the key length for
 the ESP encryption algorithm.  For encryption algorithms that use a
 fixed-length keys, this value is ignored.  The property is defined as
 follows:
    NAME         CipherKeyLength
    DESCRIPTION  Specifies the ESP encryption key length in bits.
    SYNTAX       unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

 The property CipherKeyRounds specifies the number of key rounds for
 the ESP encryption algorithm.  For encryption algorithms that use
 fixed number of key rounds, this value is ignored.  The property is
 defined as follows:
    NAME         CipherKeyRounds
    DESCRIPTION  Specifies the number of key rounds for the ESP
                 encryption algorithm.
    SYNTAX       unsigned 16-bit integer
    VALUE        Currently, key rounds are not defined for any ESP
                 encryption algorithms.

7.6.5. The Property UseReplayPrevention

 The property UseReplayPrevention specifies whether replay prevention
 detection is to be used.  The property is defined as follows:
    NAME         UseReplayPrevention
    DESCRIPTION  Specifies whether to enable replay prevention
                 detection.
    SYNTAX       boolean
    VALUE        true - replay prevention detection is enabled.
                 false - replay prevention detection is disabled.

Jason, et al. Standards Track [Page 58] RFC 3585 IPsec Configuration Policy Model August 2003

7.6.6. The Property ReplayPreventionWindowSize

 The property ReplayPreventionWindowSize specifies, in bits, the
 length of the sliding window used by the replay prevention detection
 mechanism.  The value of this property is meaningless if
 UseReplayPrevention is false.  It is assumed that the window size
 will be power of 2.  The property is defined as follows:
    NAME         ReplayPreventionWindowSize
    DESCRIPTION  Specifies the length of the window used by the replay
                 prevention detection mechanism.
    SYNTAX       unsigned 32-bit integer

7.7. The Class IPCOMPTransform

 The class IPCOMPTransform specifies the IP compression (IPCOMP)
 algorithm to propose during IPsec security association negotiation.
 The class definition for IPCOMPTransform is as follows:
    NAME         IPCOMPTransform
    DESCRIPTION  Specifies the proposed IPCOMP algorithm.
    ABSTRACT     FALSE
    PROPERTIES   Algorithm
                 DictionarySize
                 PrivateAlgorithm

7.7.1. The Property Algorithm

 The property Algorithm specifies the transform ID of the IPCOMP
 compression algorithm.  The property is defined as follows:
    NAME         Algorithm
    DESCRIPTION  Specifies the transform ID of the IPCOMP compression
                 algorithm.
    SYNTAX       unsigned 16-bit integer
    VALUE        1 - OUI: a vendor specific algorithm is used and
                 specified in the property PrivateAlgorithm.  Consult
                 [DOI] for other valid values.

7.7.2. The Property DictionarySize

 The property DictionarySize specifies the log2 maximum size of the
 dictionary for the compression algorithm.  For compression algorithms
 that have pre-defined dictionary sizes, this value is ignored.  The
 property is defined as follows:

Jason, et al. Standards Track [Page 59] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         DictionarySize
    DESCRIPTION  Specifies the log2 maximum size of the dictionary.
    SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

 The property PrivateAlgorithm specifies a private vendor-specific
 compression algorithm.  This value is only used when the property
 Algorithm is 1 (OUI).  The property is defined as follows:
    NAME         PrivateAlgorithm
    DESCRIPTION  Specifies a private vendor-specific compression
                 algorithm.
    SYNTAX       unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem

 The class SAProposalInSystem weakly associates SAProposals with a
 System.  The class definition for SAProposalInSystem is as follows:
    NAME         SAProposalInSystem
    DESCRIPTION  Weakly associates SAProposals with a System.
    DERIVED FROM PolicyInSystem (see [PCIM])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent[ref System [1..1]]
                 Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

 The property Antecedent is inherited from the PolicyInSystem and is
 overridden to refer to a System instance.  The [1..1] cardinality
 indicates that an SAProposal instance MUST be associated with one and
 only one System instance.

7.8.2. The Reference Dependent

 The property Dependent is inherited from PolicyInSystem and is
 overridden to refer to an SAProposal instance.  The [0..n]
 cardinality indicates that a System instance may be associated with
 zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

 The class ContainedTransform associates an IPsecProposal with the set
 of SATransforms that make up the proposal.  If multiple transforms of
 the same type are in a proposal, then they are to be logically ORed
 and the order of preference is dictated by the SequenceNumber
 property.  Sets of transforms of different types are logically ANDed.

Jason, et al. Standards Track [Page 60] RFC 3585 IPsec Configuration Policy Model August 2003

 For example, if the ordered proposal list were
    ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
    AH  = { MD5, SHA-1 }
 then the one sending the proposal would want the other side to pick
 one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
 from the AH transform list (preferably MD5).
 The class definition for ContainedTransform is as follows:
    NAME         ContainedTransform
    DESCRIPTION  Associates an IPsecProposal with the set of
                 SATransforms that make up the proposal.
    DERIVED FROM PolicyComponent (see [PCIM])
    ABSTRACT     FALSE
    PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                 PartComponent[ref SATransform[1..n]]
                 SequenceNumber

7.9.1. The Reference GroupComponent

 The property GroupComponent is inherited from PolicyComponent and is
 overridden to refer to an IPsecProposal instance.  The [0..n]
 cardinality indicates that an SATransform instance may be associated
 with zero or more IPsecProposal instances.

7.9.2. The Reference PartComponent

 The property PartComponent is inherited from PolicyComponent and is
 overridden to refer to an SATransform instance.  The [1..n]
 cardinality indicates that an IPsecProposal instance MUST be
 associated with at least one SATransform instance.

7.9.3. The Property SequenceNumber

 The property SequenceNumber specifies the order of preference for the
 SATransforms of the same type.  The property is defined as follows:
    NAME         SequenceNumber
    DESCRIPTION  Specifies the preference order for the SATransforms
                 of the same type.
    SYNTAX       unsigned 16-bit integer
    VALUE        Lower-valued transforms are preferred over transforms
                 of the same type with higher values.  For
                 ContainedTransforms that reference the same
                 IPsecProposal, SequenceNumber values must be unique.

Jason, et al. Standards Track [Page 61] RFC 3585 IPsec Configuration Policy Model August 2003

7.10. The Association Class SATransformInSystem

 The class SATransformInSystem weakly associates SATransforms with a
 System.  The class definition for SATransformInSystem System is as
 follows:
    NAME         SATransformInSystem
    DESCRIPTION  Weakly associates SATransforms with a System.
    DERIVED FROM PolicyInSystem (see [PCIM])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent[ref System[1..1]]
                 Dependent[ref SATransform[0..n] [weak]]

7.10.1. The Reference Antecedent

 The property Antecedent is inherited from PolicyInSystem and is
 overridden to refer to a System instance.  The [1..1] cardinality
 indicates that an SATransform instance MUST be associated with one
 and only one System instance.

7.10.2. The Reference Dependent

 The property Dependent is inherited from PolicyInSystem and is
 overridden to refer to an SATransform instance.  The [0..n]
 cardinality indicates that a System instance may be associated with
 zero or more SATransform instances.

Jason, et al. Standards Track [Page 62] RFC 3585 IPsec Configuration Policy Model August 2003

8. IKE Service and Identity Classes

              +--------------+           +-------------------+
              |    System    |           | PeerIdentityEntry |
              |  ([CIMCORE]) |           +-------------------+
              +--------------+                     |*w
                    1| (a)                 (b)     |
                     +---+            +------------+
                         |            |
                         |*w        1 o
 +-------------+     +-------------------+    +---------------------+
 | PeerGateway |     | PeerIdentityTable |    | AutostartIKESetting |
 +-------------+     +-------------------+    +---------------------+
      *|                          *|               *|    *|
       +----------------------+    |(d)  +----------+     |
                (c)          *|   *|    *|     (e)        |
                            *+------------+*              |(f)
           +-----------------| IKEService |-----+         |
           |      (g)        +------------+     |(h)      |
       0..1|                      *|           *|        *o
 +--------------------+            |    +---------------------------+
 | IPProtocolEndpoint |            |    | AutostartIKEConfiguration |
 |  ([CIMNETWORK])    |         (i)|    +---------------------------+
 +--------------------+            |
    0..1|                          |
        |(j)                       +----------------+
       *|                                           |*
 +-------------+* (k)  +------------+ +-----------------------------+
 | IKEIdentity |-------| Collection | | CredentialManagementService |
 +-------------+   0..1| ([CIMCORE])| |         ([CIMUSER])         |
       *|              +------------+ +-----------------------------+
        |(l)
       *|
 +--------------+
 |  Credential  |
 |  ([CIMUSER]) |
 +--------------+
    (a)  HostedPeerIdentityTable
    (b)  PeerIdentityMember
    (c)  IKEServicePeerGateway
    (d)  IKEServicePeerIdentityTable
    (e)  IKEAutostartSetting
    (f)  AutostartIKESettingContext
    (g)  IKEServiceForEndpoint
    (h)  IKEAutostartConfiguration
    (i)  IKEUsesCredentialManagementService
    (j)  EndpointHasLocalIKEIdentity

Jason, et al. Standards Track [Page 63] RFC 3585 IPsec Configuration Policy Model August 2003

    (k)  CollectionHasLocalIKEIdentity
    (l)  IKEIdentitysCredential
 This portion of the model contains additional information that is
 useful in applying the policy.  The IKEService class MAY be used to
 represent the IKE negotiation function in a system.  The IKEService
 uses the various tables that contain information about IKE peers as
 well as the configuration for specifying security associations that
 are started automatically.  The information in the PeerGateway,
 PeerIdentityTable and related classes is necessary to completely
 specify the policies.
 An interface (represented by an IPProtocolEndpoint) has an IKEService
 that provides the negotiation services for that interface.  That
 service MAY also have a list of security associations automatically
 started at the time the IKE service is initialized.
 The IKEService also has a set of identities that it may use in
 negotiations with its peers.  Those identities are associated with
 the interfaces (or collections of interfaces).

8.1. The Class IKEService

 The class IKEService represents the IKE negotiation function.  An
 instance of this service may provide that negotiation service for one
 or more interfaces (represented by the IPProtocolEndpoint class) of a
 System.  There may be multiple instances of IKE services on a System
 but only one per interface.  The class definition for IKEService is
 as follows:
    NAME         IKEService
    DESCRIPTION  IKEService is used to represent the IKE negotiation
                 function.
    DERIVED FROM Service (see [CIMCORE])
    ABSTRACT     FALSE

8.2. The Class PeerIdentityTable

 The class PeerIdentityTable aggregates the table entries that provide
 mappings between identities and their addresses.  The class
 definition for PeerIdentityTable is as follows:
    NAME         PeerIdentityTable
    DESCRIPTION  PeerIdentityTable aggregates PeerIdentityEntry
                 instances to provide a table of identity-address
                 mappings.
    DERIVED FROM Collection (see [CIMCORE])

Jason, et al. Standards Track [Page 64] RFC 3585 IPsec Configuration Policy Model August 2003

    ABSTRACT     FALSE
    PROPERTIES   Name

8.2.1. The Property Name

 The property Name uniquely identifies the table.  The property is
 defined as follows:
    NAME         Name
    DESCRIPTION  Name uniquely identifies the table.
    SYNTAX       string

8.3. The Class PeerIdentityEntry

 The class PeerIdentityEntry specifies the mapping between peer
 identity and their IP address.  The class definition for
 PeerIdentityEntry is as follows:
    NAME         PeerIdentityEntry
    DESCRIPTION  PeerIdentityEntry provides a mapping between a peer's
                 identity and address.
    DERIVED FROM LogicalElement (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   PeerIdentity
                 PeerIdentityType
                 PeerAddress
                 PeerAddressType
 The pre-shared key to be used with this peer (if applicable) is
 contained in an instance of the class SharedSecret (see [CIMUSER]).
 The pre-shared key is stored in the property Secret, the property
 protocol contains "IKE", the property algorithm contains the
 algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
 entity has no secret storage), the value of property RemoteID must
 match the PeerIdentity property of the PeerIdentityEntry instance
 describing the IKE peer.

8.3.1. The Property PeerIdentity

 The property PeerIdentity contains a string encoding of the Identity
 payload for the IKE peer.  The property is defined as follows:
    NAME         PeerIdentity
    DESCRIPTION  The PeerIdentity is the ID payload of a peer.
    SYNTAX       string

Jason, et al. Standards Track [Page 65] RFC 3585 IPsec Configuration Policy Model August 2003

8.3.2. The Property PeerIdentityType

 The property PeerIdentityType is an enumeration that specifies the
 type of the PeerIdentity.  The property is defined as follows:
    NAME         PeerIdentityType
    DESCRIPTION  PeerIdentityType is the type of the ID payload of a
                 peer.
    SYNTAX       unsigned 16-bit integer
    VALUE        The enumeration values are specified in [DOI] section
                 4.6.2.1.

8.3.3. The Property PeerAddress

 The property PeerAddress specifies the string representation of the
 IP address of the peer formatted according to the appropriate
 convention as defined in the PeerAddressType property (e.g., dotted
 decimal notation).  The property is defined as follows:
    NAME         PeerAddress
    DESCRIPTION  PeerAddress is the address of the peer with the ID
                 payload.
    SYNTAX       string
    VALUE        String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType

 The property PeerAddressType specifies the format of the PeerAddress
 property value.  The property is defined as follows:
    NAME         PeerAddressType
    DESCRIPTION  PeerAddressType is the type of address in
                 PeerAddress.
    SYNTAX       unsigned 16-bit integer
    VALUE        0 - Unknown
                 1 - IPv4
                 2 - IPv6

8.4. The Class AutostartIKEConfiguration

 The class AutostartIKEConfiguration groups AutostartIKESetting
 instances into configuration sets.  When applied, the settings cause
 an IKE service to automatically start (negotiate or statically set as
 appropriate) the Security Associations.  The class definition for
 AutostartIKEConfiguration is as follows:

Jason, et al. Standards Track [Page 66] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         AutostartIKEConfiguration
    DESCRIPTION  A configuration set of AutostartIKESetting instances
                 to be automatically started by the IKE service.
    DERIVED FROM SystemConfiguration (see [CIMCORE])
    ABSTRACT     FALSE

8.5. The Class AutostartIKESetting

 The class AutostartIKESetting is used to automatically initiate IKE
 negotiations with peers (or statically create an SA) as specified in
 the AutostartIKESetting properties.  Appropriate actions are
 initiated according to the policy that matches the setting
 parameters.  The class definition for AutostartIKESetting is as
 follows:
    NAME         AutostartIKESetting
    DESCRIPTION  AutostartIKESetting is used to automatically initiate
                 IKE negotiations with peers or statically create an
                 SA.
    DERIVED FROM SystemSetting (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Phase1Only
                 AddressType
                 SourceAddress
                 SourcePort
                 DestinationAddress
                 DestinationPort
                 Protocol

8.5.1. The Property Phase1Only

 The property Phase1Only is used to limit the IKE negotiation to a
 phase 1 SA establishment only.  When set to False, both phase 1 and
 phase 2 SAs are negotiated.  The property is defined as follows:
    NAME         Phase1Only
    DESCRIPTION  Used to indicate whether a phase 1 only or both phase
                 1 and phase 2 security associations should attempt
                 establishment.
    SYNTAX       boolean
    VALUE        true - attempt to establish a phase 1 security
                 association
                 false - attempt to establish phase 1 and phase 2
                 security associations

Jason, et al. Standards Track [Page 67] RFC 3585 IPsec Configuration Policy Model August 2003

8.5.2. The Property AddressType

 The property AddressType specifies a type of the addresses in the
 SourceAddress and DestinationAddress properties.  The property is
 defined as follows:
    NAME         AddressType
    DESCRIPTION  AddressType is the type of address in SourceAddress
                 and DestinationAddress properties.
    SYNTAX       unsigned 16-bit integer
    VALUE        0 - Unknown
                 1 - IPv4
                 2 - IPv6

8.5.3. The Property SourceAddress

 The property SourceAddress specifies the dotted-decimal or colon-
 decimal formatted IP address used as the source address in comparing
 with policy filter entries and used in any phase 2 negotiations.  The
 property is defined as follows:
    NAME         SourceAddress
    DESCRIPTION  The source address to compare with the filters to
                 determine the appropriate policy rule.
    SYNTAX       string
    VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

 The property SourcePort specifies the port number used as the source
 port in comparing policy filter entries and is used in any phase 2
 negotiations.  The property is defined as follows:
    NAME         SourcePort
    DESCRIPTION  The source port to compare with the filters to
                 determine the appropriate policy rule.
    SYNTAX       unsigned 16-bit integer

8.5.5. The Property DestinationAddress

 The property DestinationAddress specifies the dotted-decimal or
 colon-decimal formatted IP address used as the destination address in
 comparing policy filter entries and is used in any phase 2
 negotiations.  The property is defined as follows:
    NAME         DestinationAddress
    DESCRIPTION  The destination address to compare with the filters
                 to determine the appropriate policy rule.

Jason, et al. Standards Track [Page 68] RFC 3585 IPsec Configuration Policy Model August 2003

    SYNTAX       string
    VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

 The property DestinationPort specifies the port number used as the
 destination port in comparing policy filter entries and is used in
 any phase 2 negotiations.  The property is defined as follows:
    NAME         DestinationPort
    DESCRIPTION  The destination port to compare with the filters to
                 determine the appropriate policy rule.
    SYNTAX       unsigned 16-bit integer

8.5.7. The Property Protocol

 The property Protocol specifies the protocol number used in comparing
 with policy filter entries and is used in any phase 2 negotiations.
 The property is defined as follows:
    NAME         Protocol
    DESCRIPTION  The protocol number used in comparing policy
                 filter entries.
    SYNTAX       unsigned 8-bit integer

8.6. The Class IKEIdentity

 The class IKEIdentity is used to represent the identities that may be
 used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
 to identify the IKE Service in IKE phase 1 negotiations.  The policy
 IKEAction.UseIKEIdentityType specifies which type of the available
 identities to use in a negotiation exchange and the
 IKERule.IdentityContexts specifies the match values to be used, along
 with the local address, in selecting the appropriate identity for a
 negotiation.  The ElementID property value (defined in the parent
 class, UsersAccess) should be that of either the IPProtocolEndpoint
 or Collection of endpoints as appropriate.  The class definition for
 IKEIdentity is as follows:
    NAME         IKEIdentity
    DESCRIPTION  IKEIdentity is used to represent the identities that
                 may be used for an IPProtocolEndpoint (or collection
                 of IPProtocolEndpoints) to identify the IKE Service
                 in IKE phase 1 negotiations.
    DERIVED FROM UsersAccess (see [CIMUSER])
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 69] RFC 3585 IPsec Configuration Policy Model August 2003

    PROPERTIES   IdentityType
                 IdentityValue
                 IdentityContexts

8.6.1. The Property IdentityType

 The property IdentityType is an enumeration that specifies the type
 of the IdentityValue.  The property is defined as follows:
    NAME         IdentityType
    DESCRIPTION  IdentityType is the type of the IdentityValue.
    SYNTAX       unsigned 16-bit integer
    VALUE        The enumeration values are specified in [DOI] section
                 4.6.2.1.

8.6.2. The Property IdentityValue

 The property IdentityValue contains a string encoding of the Identity
 payload.  For IKEIdentity instances that are address types (i.e.,
 IPv4 or IPv6 addresses), the IdentityValue string value MAY be
 omitted; then the associated IPProtocolEndpoint (or appropriate
 member of the Collection of endpoints) is used as the identity value.
 The property is defined as follows:
    NAME         IdentityValue
    DESCRIPTION  IdentityValue contains a string encoding of the
                 Identity payload.
    SYNTAX       string

8.6.3. The Property IdentityContexts

 The IdentityContexts property is used to constrain the use of
 IKEIdentity instances to match that specified in the
 IKERule.IdentityContexts.  The IdentityContexts are formatted as
 policy roles and role combinations [PCIM] & [PCIME].  Each value
 represents one context or context combination.  Since this is a
 multi-valued property, more than one context or combination of
 contexts can be associated with a single IKEIdentity.  Each value is
 a string of the form:
    <ContextName>[&&<ContextName>]*
 where the individual context names appear in alphabetical order
 (according to the collating sequence for UCS-2).  If one or more
 values in the IKERule.IdentityContexts array match one or more
 IKEIdentity.IdentityContexts, then the identity's context matches.
 (That is, each value of the IdentityContext array is an ORed
 condition.)  In combination with the address of the

Jason, et al. Standards Track [Page 70] RFC 3585 IPsec Configuration Policy Model August 2003

 IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
 exactly one IKEIdentity.  The property is defined as follows:
    NAME         IdentityContexts
    DESCRIPTION  The IKE service of a security endpoint may have
                 multiple identities for use in different situations.
                 The combination of the interface (represented by
                 the IPProtocolEndpoint), the identity type (as
                 specified in the IKEAction) and the IdentityContexts
                 selects a unique identity.
    SYNTAX       string array
    VALUE        string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

 The class HostedPeerIdentityTable provides the name scoping
 relationship for PeerIdentityTable entries in a System.  The
 PeerIdentityTable is weak to the System.  The class definition for
 HostedPeerIdentityTable is as follows:
    NAME         HostedPeerIdentityTable
    DESCRIPTION  The PeerIdentityTable instances are weak (name scoped
                 by) the owning System.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref System[1..1]]
                 Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a System instance.  The [1..1] cardinality
 indicates that a PeerIdentityTable instance MUST be associated in a
 weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to a PeerIdentityTable instance.  The [0..n] cardinality
 indicates that a System instance may be associated with zero or more
 PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

 The class PeerIdentityMember aggregates PeerIdentityEntry instances
 into a PeerIdentityTable.  This is a weak aggregation.  The class
 definition for PeerIdentityMember is as follows:

Jason, et al. Standards Track [Page 71] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         PeerIdentityMember
    DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry
                 instances into a PeerIdentityTable.
    DERIVED FROM MemberOfCollection (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Collection [ref PeerIdentityTable[1..1]]
                 Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

 The property Collection is inherited from MemberOfCollection and is
 overridden to refer to a PeerIdentityTable instance.  The [1..1]
 cardinality indicates that a PeerIdentityEntry instance MUST be
 associated with one and only one PeerIdentityTable instance (i.e.,
 PeerIdentityEntry instances are not shared across
 PeerIdentityTables).

8.8.2. The Reference Member

 The property Member is inherited from MemberOfCollection and is
 overridden to refer to a PeerIdentityEntry instance.  The [0..n]
 cardinality indicates that a PeerIdentityTable instance may be
 associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

 The class IKEServicePeerGateway provides the association between an
 IKEService and the list of PeerGateway instances that it uses in
 negotiating with security gateways.  The class definition for
 IKEServicePeerGateway is as follows:
    NAME         IKEServicePeerGateway
    DESCRIPTION  Associates an IKEService and the list of PeerGateway
                 instances that it uses in negotiating with security
                 gateways.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                 Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a PeerGateway instance.  The [0..n]
 cardinality indicates that an IKEService instance may be associated
 with zero or more PeerGateway instances.

Jason, et al. Standards Track [Page 72] RFC 3585 IPsec Configuration Policy Model August 2003

8.9.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an IKEService instance.  The [0..n] cardinality indicates
 that a PeerGateway instance may be associated with zero or more
 IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

 The class IKEServicePeerIdentityTable provides the relationship
 between an IKEService and a PeerIdentityTable that it uses to map
 between addresses and identities as required.  The class definition
 for IKEServicePeerIdentityTable is as follows:
    NAME         IKEServicePeerIdentityTable
    DESCRIPTION  IKEServicePeerIdentityTable provides the relationship
                 between an IKEService and a PeerIdentityTable that it
                 uses.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref PeerIdentityTable[0..n]]
                 Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a PeerIdentityTable instance.  The [0..n]
 cardinality indicates that an IKEService instance may be associated
 with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an IKEService instance.  The [0..n] cardinality indicates
 that a PeerIdentityTable instance may be associated with zero or more
 IKEService instances.

8.11. The Association Class IKEAutostartSetting

 The class IKEAutostartSetting associates an AutostartIKESetting with
 an IKEService that may use it to automatically start an IKE
 negotiation or create a static SA.  The class definition for
 IKEAutostartSetting is as follows:
    NAME         IKEAutostartSetting
    DESCRIPTION  Associates a AutostartIKESetting with an IKEService.
    DERIVED FROM ElementSetting (see [CIMCORE])
    ABSTRACT     FALSE

Jason, et al. Standards Track [Page 73] RFC 3585 IPsec Configuration Policy Model August 2003

    PROPERTIES   Element [ref IKEService[0..n]]
                 Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

 The property Element is inherited from ElementSetting and is
 overridden to refer to an IKEService instance.  The [0..n]
 cardinality indicates an AutostartIKESetting instance may be
 associated with zero or more IKEService instances.

8.11.2. The Reference Setting

 The property Setting is inherited from ElementSetting and is
 overridden to refer to an AutostartIKESetting instance.  The [0..n]
 cardinality indicates that an IKEService instance may be associated
 with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

 The class AutostartIKESettingContext aggregates the settings used to
 automatically start negotiations or create a static SA into a
 configuration set.  The class definition for
 AutostartIKESettingContext is as follows:
    NAME         AutostartIKESettingContext
    DESCRIPTION  AutostartIKESettingContext aggregates the
                 AutostartIKESetting instances into a configuration
                 set.
    DERIVED FROM SystemSettingContext (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Context [ref AutostartIKEConfiguration [0..n]]
                 Setting [ref AutostartIKESetting [0..n]]
                 SequenceNumber

8.12.1. The Reference Context

 The property Context is inherited from SystemSettingContext and is
 overridden to refer to an AutostartIKEConfiguration instance.  The
 [0..n] cardinality indicates that an AutostartIKESetting instance may
 be associated with zero or more AutostartIKEConfiguration instances
 (i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

 The property Setting is inherited from SystemSettingContext and is
 overridden to refer to an AutostartIKESetting instance.  The [0..n]
 cardinality indicates that an AutostartIKEConfiguration instance may
 be associated with zero or more AutostartIKESetting instances.

Jason, et al. Standards Track [Page 74] RFC 3585 IPsec Configuration Policy Model August 2003

8.12.3. The Property SequenceNumber

 The property SequenceNumber specifies the ordering to be used when
 starting negotiations or creating a static SA.  A zero value
 indicates that order is not significant and settings may be applied
 in parallel with other settings.  All other settings in the
 configuration are executed in sequence from lower to higher values.
 Sequence numbers need not be unique in an AutostartIKEConfiguration
 and order is not significant for settings with the same sequence
 number.  The property is defined as follows:
    NAME         SequenceNumber
    DESCRIPTION  The sequence in which the settings are applied
                 within a configuration set.
    SYNTAX       unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

 The class IKEServiceForEndpoint provides the association showing
 which IKE service, if any, provides IKE negotiation services for
 which network interfaces.  The class definition for
 IKEServiceForEndpoint is as follows:
    NAME         IKEServiceForEndpoint
    DESCRIPTION  Associates an IPProtocolEndpoint with an IKEService
                 that provides negotiation services for the endpoint.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref IKEService[0..1]]
                 Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to an IKEService instance.  The [0..1]
 cardinality indicates that an IPProtocolEndpoint instance MUST by
 associated with at most one IKEService instance.

8.13.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an IPProtocolEndpoint that is associated with at most one
 IKEService.  The [0..n] cardinality indicates an IKEService instance
 may be associated with zero or more IPProtocolEndpoint instances.

Jason, et al. Standards Track [Page 75] RFC 3585 IPsec Configuration Policy Model August 2003

8.14. The Association Class IKEAutostartConfiguration

 The class IKEAutostartConfiguration provides the relationship between
 an IKEService and a configuration set that it uses to automatically
 start a set of SAs.  The class definition for
 IKEAutostartConfiguration is as follows:
    NAME         IKEAutostartConfiguration
    DESCRIPTION  IKEAutostartConfiguration provides the relationship
                 between an IKEService and an
                 AutostartIKEConfiguration that it uses to
                 automatically start a set of SAs.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref AutostartIKEConfiguration [0..n]]
                 Dependent [ref IKEService [0..n]]
                 Active

8.14.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to an AutostartIKEConfiguration instance.  The
 [0..n] cardinality indicates that an IKEService instance may be
 associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an IKEService instance.  The [0..n] cardinality indicates
 that an AutostartIKEConfiguration instance may be associated with
 zero or more IKEService instances.

8.14.3. The Property Active

 The property Active indicates whether the AutostartIKEConfiguration
 set is currently active for the associated IKEService.  That is, at
 boot time, the active configuration is used to automatically start
 IKE negotiations and create static SAs.  The property is defined as
 follows:
    NAME         Active
    DESCRIPTION  Active indicates whether the
                 AutostartIKEConfiguration set is currently active for
                 the associated IKEService.
    SYNTAX       boolean

Jason, et al. Standards Track [Page 76] RFC 3585 IPsec Configuration Policy Model August 2003

    VALUE        true - AutostartIKEConfiguration is currently active
                 for associated IKEService.
                 false - AutostartIKEConfiguration is currently
                 inactive for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

 The class IKEUsesCredentialManagementService defines the set of
 CredentialManagementService(s) that are trusted sources of
 credentials for IKE phase 1 negotiations.  The class definition for
 IKEUsesCredentialManagementService is as follows:
    NAME         IKEUsesCredentialManagementService
    DESCRIPTION  Associates the set of CredentialManagementService(s)
                 that are trusted by the IKEService as sources of
                 credentials used in IKE phase 1 negotiations.
    DERIVED FROM Dependency (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref CredentialManagementService [0..n]]
                 Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

 The property Antecedent is inherited from Dependency and is
 overridden to refer to a CredentialManagementService instance.  The
 [0..n] cardinality indicates that an IKEService instance may be
 associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

 The property Dependent is inherited from Dependency and is overridden
 to refer to an IKEService instance.  The [0..n] cardinality indicates
 that a CredentialManagementService instance may be associated with
 zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

 The class EndpointHasLocalIKEIdentity associates an
 IPProtocolEndpoint with a set of IKEIdentity instances that may be
 used in negotiating security associations on the endpoint.  An
 IKEIdentity MUST be associated with either an IPProtocolEndpoint
 using this association or with a collection of IKEIdentity instances
 using the CollectionHasLocalIKEIdentity association.  The class
 definition for EndpointHasLocalIKEIdentity is as follows:

Jason, et al. Standards Track [Page 77] RFC 3585 IPsec Configuration Policy Model August 2003

    NAME         EndpointHasLocalIKEIdentity
    DESCRIPTION  EndpointHasLocalIKEIdentity associates an
                 IPProtocolEndpoint with a set of IKEIdentity
                 instances.
    DERIVED FROM ElementAsUser (see [CIMUSER])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]]
                 Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

 The property Antecedent is inherited from ElementAsUser and is
 overridden to refer to an IPProtocolEndpoint instance.  The [0..1]
 cardinality indicates that an IKEIdentity instance MUST be associated
 with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

 The property Dependent is inherited from ElementAsUser and is
 overridden to refer to an IKEIdentity instance.  The [0..n]
 cardinality indicates that an IPProtocolEndpoint instance may be
 associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

 The class CollectionHasLocalIKEIdentity associates a Collection of
 IPProtocolEndpoint instances with a set of IKEIdentity instances that
 may be used in negotiating SAs for endpoints in the collection.  An
 IKEIdentity MUST be associated with either an IPProtocolEndpoint
 using the EndpointHasLocalIKEIdentity association or with a
 collection of IKEIdentity instances using this association.  The
 class definition for CollectionHasLocalIKEIdentity is as follows:
    NAME         CollectionHasLocalIKEIdentity
    DESCRIPTION  CollectionHasLocalIKEIdentity associates a collection
                 of IPProtocolEndpoint instances with a set of
                 IKEIdentity instances.
    DERIVED FROM ElementAsUser (see [CIMUSER])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref Collection [0..1]]
                 Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

 The property Antecedent is inherited from ElementAsUser and is
 overridden to refer to a Collection instance.  The [0..1] cardinality
 indicates that an IKEIdentity instance MUST be associated with at
 most one Collection instance.

Jason, et al. Standards Track [Page 78] RFC 3585 IPsec Configuration Policy Model August 2003

8.17.2. The Reference Dependent

 The property Dependent is inherited from ElementAsUser and is
 overridden to refer to an IKEIdentity instance.  The [0..n]
 cardinality indicates that a Collection instance may be associated
 with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

 The class IKEIdentitysCredential is an association that relates a set
 of credentials to their corresponding local IKE Identities.  The
 class definition for IKEIdentitysCredential is as follows:
    NAME         IKEIdentitysCredential
    DESCRIPTION  IKEIdentitysCredential associates a set of
                 credentials to their corresponding local IKEIdentity.
    DERIVED FROM UsersCredential (see [CIMCORE])
    ABSTRACT     FALSE
    PROPERTIES   Antecedent [ref Credential [0..n]]
                 Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

 The property Antecedent is inherited from UsersCredential and is
 overridden to refer to a Credential instance.  The [0..n] cardinality
 indicates that the IKEIdentity instance may be associated with zero
 or more Credential instances.

8.18.2. The Reference Dependent

 The property Dependent is inherited from UsersCredential and is
 overridden to refer to an IKEIdentity instance.  The [0..n]
 cardinality indicates that a Credential instance may be associated
 with zero or more IKEIdentity instances.

9. Implementation Requirements

 The following table specifies which classes, properties, associations
 and aggregations MUST or SHOULD or MAY be implemented.
 4. Policy Classes
 4.1. The Class SARule..........................................MUST
 4.1.1. The Property PolicyRuleName..............................MAY
 4.1.1. The Property Enabled....................................MUST
 4.1.1. The Property ConditionListType..........................MUST
 4.1.1. The Property RuleUsage...................................MAY
 4.1.1. The Property Mandatory...................................MAY
 4.1.1. The Property SequencedActions...........................MUST

Jason, et al. Standards Track [Page 79] RFC 3585 IPsec Configuration Policy Model August 2003

 4.1.1. The Property PolicyRoles.................................MAY
 4.1.1. The Property PolicyDecisionStrategy......................MAY
 4.1.2  The Property ExecutionStrategy..........................MUST
 4.1.3  The Property LimitNegotiation............................MAY
 4.2. The Class IKERule.........................................MUST
 4.2.1. The Property IdentityContexts............................MAY
 4.3. The Class IPsecRule.......................................MUST
 4.4. The Association Class IPsecPolicyForEndpoint...............MAY
 4.4.1. The Reference Antecedent................................MUST
 4.4.2. The Reference Dependent.................................MUST
 4.5. The Association Class IPsecPolicyForSystem.................MAY
 4.5.1. The Reference Antecedent................................MUST
 4.5.2. The Reference Dependent.................................MUST
 4.6. The Aggregation Class SAConditionInRule...................MUST
 4.6.1. The Property GroupNumber..............................SHOULD
 4.6.1. The Property ConditionNegated.........................SHOULD
 4.6.2. The Reference GroupComponent............................MUST
 4.6.3. The Reference PartComponent.............................MUST
 4.7. The Aggregation Class PolicyActionInSARule................MUST
 4.7.1. The Reference GroupComponent............................MUST
 4.7.2. The Reference PartComponent.............................MUST
 4.7.3. The Property ActionOrder..............................SHOULD
 5. Condition and Filter Classes
 5.1. The Class SACondition.....................................MUST
 5.2. The Class IPHeadersFilter...............................SHOULD
 5.3. The Class CredentialFilterEntry............................MAY
 5.3.1. The Property MatchFieldName.............................MUST
 5.3.2. The Property MatchFieldValue............................MUST
 5.3.3. The Property CredentialType.............................MUST
 5.4. The Class IPSOFilterEntry..................................MAY
 5.4.1. The Property MatchConditionType.........................MUST
 5.4.2. The Property MatchConditionValue........................MUST
 5.5. The Class PeerIDPayloadFilterEntry.........................MAY
 5.5.1. The Property MatchIdentityType..........................MUST
 5.5.2. The Property MatchIdentityValue.........................MUST
 5.6. The Association Class FilterOfSACondition...............SHOULD
 5.6.1. The Reference Antecedent................................MUST
 5.6.2. The Reference Dependent.................................MUST
 5.7. The Association Class AcceptCredentialFrom.................MAY
 5.7.1. The Reference Antecedent................................MUST
 5.7.2. The Reference Dependent.................................MUST
 6. Action Classes
 6.1. The Class SAAction........................................MUST
 6.1.1. The Property DoActionLogging.............................MAY
 6.1.2. The Property DoPacketLogging.............................MAY
 6.2. The Class SAStaticAction..................................MUST
 6.2.1. The Property LifetimeSeconds............................MUST
 6.3. The Class IPsecBypassAction.............................SHOULD

Jason, et al. Standards Track [Page 80] RFC 3585 IPsec Configuration Policy Model August 2003

 6.4. The Class IPsecDiscardAction............................SHOULD
 6.5. The Class IKERejectAction..................................MAY
 6.6. The Class PreconfiguredSAAction...........................MUST
 6.6.1. The Property LifetimeKilobytes..........................MUST
 6.7. The Class PreconfiguredTransportAction....................MUST
 6.8. The Class PreconfiguredTunnelAction.......................MUST
 6.8.1. The Property DFHandling.................................MUST
 6.9. The Class SANegotiationAction.............................MUST
 6.10. The Class IKENegotiationAction...........................MUST
 6.10.1. The Property MinLifetimeSeconds.........................MAY
 6.10.2. The Property MinLifetimeKilobytes.......................MAY
 6.10.3. The Property IdleDurationSeconds........................MAY
 6.11. The Class IPsecAction....................................MUST
 6.11.1. The Property UsePFS....................................MUST
 6.11.2. The Property UseIKEGroup................................MAY
 6.11.3. The Property GroupId...................................MUST
 6.11.4. The Property Granularity.............................SHOULD
 6.11.5. The Property VendorID...................................MAY
 6.12. The Class IPsecTransportAction...........................MUST
 6.13. The Class IPsecTunnelAction..............................MUST
 6.13.1. The Property DFHandling................................MUST
 6.14. The Class IKEAction......................................MUST
 6.14.1. The Property ExchangeMode  ............................MUST
 6.14.2. The Property UseIKEIdentityType........................MUST
 6.14.3. The Property VendorID...................................MAY
 6.14.4. The Property AggressiveModeGroupId......................MAY
 6.15. The Class PeerGateway....................................MUST
 6.15.1. The Property Name....................................SHOULD
 6.15.2. The Property PeerIdentityType..........................MUST
 6.15.3. The Property PeerIdentity..............................MUST
 6.16. The Association Class PeerGatewayForTunnel...............MUST
 6.16.1. The Reference Antecedent...............................MUST
 6.16.2. The Reference Dependent................................MUST
 6.16.3. The Property SequenceNumber..........................SHOULD
 6.17. The Aggregation Class ContainedProposal..................MUST
 6.17.1. The Reference GroupComponent...........................MUST
 6.17.2. The Reference PartComponent............................MUST
 6.17.3. The Property SequenceNumber............................MUST
 6.18. The Association Class HostedPeerGatewayInformation........MAY
 6.18.1. The Reference Antecedent...............................MUST
 6.18.2. The Reference Dependent................................MUST
 6.19. The Association Class TransformOfPreconfiguredAction.....MUST
 6.19.1. The Reference Antecedent...............................MUST
 6.19.2. The Reference Dependent................................MUST
 6.19.3. The Property SPI.......................................MUST
 6.19.4. The Property Direction.................................MUST
 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
 6.20.1. The Reference Antecedent...............................MUST

Jason, et al. Standards Track [Page 81] RFC 3585 IPsec Configuration Policy Model August 2003

 6.20.2. The Reference Dependent................................MUST
 7. Proposal and Transform Classes
 7.1. The Abstract Class SAProposal.............................MUST
 7.1.1. The Property Name.....................................SHOULD
 7.2 The Class IKEProposal......................................MUST
 7.2.1. The Property CipherAlgorithm............................MUST
 7.2.2. The Property HashAlgorithm..............................MUST
 7.2.3. The Property PRFAlgorithm................................MAY
 7.2.4. The Property GroupId....................................MUST
 7.2.5. The Property AuthenticationMethod.......................MUST
 7.2.6. The Property MaxLifetimeSeconds.........................MUST
 7.2.7. The Property MaxLifetimeKilobytes.......................MUST
 7.2.8. The Property VendorID....................................MAY
 7.3. The Class IPsecProposal...................................MUST
 7.4. The Abstract Class SATransform............................MUST
 7.4.1. The Property TransformName............................SHOULD
 7.4.2. The Property VendorID....................................MAY
 7.4.3. The Property MaxLifetimeSeconds.........................MUST
 7.4.4. The Property MaxLifetimeKilobytes.......................MUST
 7.5. The Class AHTransform.....................................MUST
 7.5.1. The Property AHTransformId..............................MUST
 7.5.2. The Property UseReplayPrevention.........................MAY
 7.5.3. The Property ReplayPreventionWindowSize..................MAY
 7.6. The Class ESPTransform....................................MUST
 7.6.1. The Property IntegrityTransformId.......................MUST
 7.6.2. The Property CipherTransformId..........................MUST
 7.6.3. The Property CipherKeyLength.............................MAY
 7.6.4. The Property CipherKeyRounds.............................MAY
 7.6.5. The Property UseReplayPrevention.........................MAY
 7.6.6. The Property ReplayPreventionWindowSize..................MAY
 7.7. The Class IPCOMPTransform..................................MAY
 7.7.1. The Property Algorithm..................................MUST
 7.7.2. The Property DictionarySize..............................MAY
 7.7.3. The Property PrivateAlgorithm............................MAY
 7.8. The Association Class SAProposalInSystem...................MAY
 7.8.1. The Reference Antecedent................................MUST
 7.8.2. The Reference Dependent.................................MUST
 7.9. The Aggregation Class ContainedTransform..................MUST
 7.9.1. The Reference GroupComponent............................MUST
 7.9.2. The Reference PartComponent.............................MUST
 7.9.3. The Property SequenceNumber.............................MUST
 7.10. The Association Class SATransformInSystem.................MAY
 7.10.1. The Reference Antecedent...............................MUST
 7.10.2. The Reference Dependent................................MUST
 8. IKE Service and Identity Classes
 8.1. The Class IKEService.......................................MAY
 8.2. The Class PeerIdentityTable................................MAY
 8.3.1. The Property Name.....................................SHOULD

Jason, et al. Standards Track [Page 82] RFC 3585 IPsec Configuration Policy Model August 2003

 8.3. The Class PeerIdentityEntry................................MAY
 8.3.1. The Property PeerIdentity.............................SHOULD
 8.3.2. The Property PeerIdentityType.........................SHOULD
 8.3.3. The Property PeerAddress..............................SHOULD
 8.3.4. The Property PeerAddressType..........................SHOULD
 8.4. The Class AutostartIKEConfiguration........................MAY
 8.5. The Class AutostartIKESetting..............................MAY
 8.5.1. The Property Phase1Only..................................MAY
 8.5.2. The Property AddressType..............................SHOULD
 8.5.3. The Property SourceAddress..............................MUST
 8.5.4. The Property SourcePort.................................MUST
 8.5.5. The Property DestinationAddress.........................MUST
 8.5.6. The Property DestinationPort............................MUST
 8.5.7. The Property Protocol...................................MUST
 8.6. The Class IKEIdentity......................................MAY
 8.6.1. The Property IdentityType...............................MUST
 8.6.2. The Property IdentityValue..............................MUST
 8.6.3. The Property IdentityContexts............................MAY
 8.7. The Association Class HostedPeerIdentityTable..............MAY
 8.7.1. The Reference Antecedent................................MUST
 8.7.2. The Reference Dependent.................................MUST
 8.8. The Aggregation Class PeerIdentityMember...................MAY
 8.8.1. The Reference Collection................................MUST
 8.8.2. The Reference Member....................................MUST
 8.9. The Association Class IKEServicePeerGateway................MAY
 8.9.1. The Reference Antecedent................................MUST
 8.9.2. The Reference Dependent.................................MUST
 8.10. The Association Class IKEServicePeerIdentityTable.........MAY
 8.10.1. The Reference Antecedent...............................MUST
 8.10.2. The Reference Dependent................................MUST
 8.11. The Association Class IKEAutostartSetting.................MAY
 8.11.1. The Reference Element..................................MUST
 8.11.2. The Reference Setting..................................MUST
 8.12. The Aggregation Class AutostartIKESettingContext..........MAY
 8.12.1. The Reference Context..................................MUST
 8.12.2. The Reference Setting..................................MUST
 8.12.3. The Property SequenceNumber..........................SHOULD
 8.13. The Association Class IKEServiceForEndpoint...............MAY
 8.13.1. The Reference Antecedent...............................MUST
 8.13.2. The Reference Dependent................................MUST
 8.14. The Association Class IKEAutostartConfiguration...........MAY
 8.14.1. The Reference Antecedent...............................MUST
 8.14.2. The Reference Dependent................................MUST
 8.14.3. The Property Active..................................SHOULD
 8.15. The Association Class IKEUsesCredentialManagementService..MAY
 8.15.1. The Reference Antecedent...............................MUST
 8.15.2. The Reference Dependent................................MUST
 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY

Jason, et al. Standards Track [Page 83] RFC 3585 IPsec Configuration Policy Model August 2003

 8.16.1. The Reference Antecedent...............................MUST
 8.16.2. The Reference Dependent................................MUST
 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
 8.17.1. The Reference Antecedent...............................MUST
 8.17.2. The Reference Dependent................................MUST
 8.18. The Association Class IKEIdentitysCredential..............MAY
 8.18.1. The Reference Antecedent...............................MUST
 8.18.2. The Reference Dependent................................MUST

10. Security Considerations

 This document only describes an information model for IPsec policy.
 It does not detail security requirements for storage or delivery of
 said information.
 Physical models derived from this information model MUST implement
 the relevant security for storage and delivery.  Most of the classes
 (e.g., IpHeadersFilter, SAAction,...) MUST at least provided the
 integrity service; other pieces of information MUST also receive the
 confidentiality service (e.g., SharedSecret as described in the
 classes PeerIdentityEntry and PreconfiguredSAAction).

11. Intellectual Property Statement

 The IETF takes no position regarding the validity or scope of any
 intellectual property or other rights that might be claimed to
 pertain to the implementation or use of the technology described in
 this document or the extent to which any license under such rights
 might or might not be available; neither does it represent that it
 has made any effort to identify any such rights.  Information on the
 IETF's procedures with respect to rights in standards-track and
 standards-related documentation can be found in BCP-11.
 Copies of claims of rights made available for publication and any
 assurances of licenses to be made available, or the result of an
 attempt made to obtain a general license or permission for the use of
 such proprietary rights by implementers or users of this
 specification can be obtained from the IETF Secretariat.
 The IETF invites any interested party to bring to its attention any
 copyrights, patents or patent applications, or other proprietary
 rights which may cover technology that may be required to practice
 this standard.  Please address the information to the IETF Executive
 Director.

Jason, et al. Standards Track [Page 84] RFC 3585 IPsec Configuration Policy Model August 2003

12. References

12.1. Normative References

 [COMP]       Shacham, A., Monsour, B., Pereira, R. and M. Thomas, "IP
              Payload Compression Protocol (IPComp)", RFC 3173,
              September 2001.
 [ESP]        Kent, S. and R. Atkinson, "IP Encapsulating Security
              Payload (ESP)", RFC 2406, November 1998.
 [AH]         Kent, S. and R. Atkinson, "IP Authentication Header",
              RFC 2402, November 1998.
 [DOI]        Piper, D., "The Internet IP Security Domain of
              Interpretation for ISAKMP", RFC 2407, November 1998.
 [IKE]        Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, November 1998.
 [PCIM]       Moore, B., Ellesson, E., Strassner, J. and A.
              Westerinen, "Policy Core Information Model -- Version 1
              Specification", RFC 3060, February 2001.
 [PCIME]      Moore, B., Editor, "Policy Core Information Model (PCIM)
              Extensions", RFC 3460, January 2003.
 [KEYWORDS]   Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.
 [CIMCORE]    DMTF Common Information Model - Core Model v2.5 which
              can be found at
              http://www.dmtf.org/standards/CIM_Schema25/
              CIM_Core25.mof
 [CIMUSER]    DMTF Common Information Model - User-Security Model v2.5
              which can be found at
              http://www.dmtf.org/standards/CIM_Schema25/
              CIM_User25.mof
 [CIMNETWORK] DMTF Common Information Model - Network Model v2.5
              which can be found at
              http://www.dmtf.org/standards/CIM_Schema25/
              CIM_Network25.mof
 [IPSO]       Kent, S., "U.S. Department of Defense Security Options
              for the Internet Protocol", RFC 1108, November 1991.

Jason, et al. Standards Track [Page 85] RFC 3585 IPsec Configuration Policy Model August 2003

 [IPSEC]      Kent, S. and R. Atkinson, "Security Architecture for the
              Internet Protocol", RFC 2401, November 1998.

12.2. Informative References

 [LDAP]       Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
              Access Protocol (v3)", RFC 2251, December 1997.
 [COPS]       Durham, D., Ed., Boyle, J., Cohen, R., Herzog, S.,
              Rajan, R. and A. Sastry, "The COPS (Common Open Policy
              Service) Protocol", RFC 2748, January 2000.
 [COPSPR]     Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie,
              K., Herzog, S., Reichmeyer, R., Yavatkar, R. and A.
              Smith, "COPS Usage for Policy Provisioning (COPS-PR)",
              RFC 3084, March 2001.
 [DMTF]       Distributed Management Task Force, http://www.dmtf.org/

13. Disclaimer

 The views and specification herein are those of the authors and are
 not necessarily those of their employer.  The authors and their
 employer specifically disclaim responsibility for any problems
 arising from correct or incorrect implementation or use of this
 specification.

14. Acknowledgments

 The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
 Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for
 their contributions to this IPsec policy model.
 Additionally, this document would not have been possible without the
 preceding IPsec schema documents.  For that, thanks go out to Rob
 Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
 Rajan.

Jason, et al. Standards Track [Page 86] RFC 3585 IPsec Configuration Policy Model August 2003

15. Authors' Addresses

 Jamie Jason
 Intel Corporation
 MS JF3-206
 2111 NE 25th Ave.
 Hillsboro, OR 97124
 EMail: jamie.jason@intel.com
 Lee Rafalow
 IBM Corporation, BRQA/502
 4205 So. Miami Blvd.
 Research Triangle Park, NC 27709
 EMail: rafalow@watson.ibm.com
 Eric Vyncke
 Cisco Systems
 7 De Kleetlaan
 B-1831 Diegem
 Belgium
 EMail: evyncke@cisco.com

Jason, et al. Standards Track [Page 87] RFC 3585 IPsec Configuration Policy Model August 2003

16. Full Copyright Statement

 Copyright (C) The Internet Society (2003).  All Rights Reserved.
 This document and translations of it may be copied and furnished to
 others, and derivative works that comment on or otherwise explain it
 or assist in its implementation may be prepared, copied, published
 and distributed, in whole or in part, without restriction of any
 kind, provided that the above copyright notice and this paragraph are
 included on all such copies and derivative works.  However, this
 document itself may not be modified in any way, such as by removing
 the copyright notice or references to the Internet Society or other
 Internet organizations, except as needed for the purpose of
 developing Internet standards in which case the procedures for
 copyrights defined in the Internet Standards process must be
 followed, or as required to translate it into languages other than
 English.
 The limited permissions granted above are perpetual and will not be
 revoked by the Internet Society or its successors or assignees.
 This document and the information contained herein is provided on an
 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Jason, et al. Standards Track [Page 88]

/data/webs/external/dokuwiki/data/pages/rfc/rfc3585.txt · Last modified: 2003/08/11 16:44 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki