Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation
11-July-2000
IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-01.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document presents an object-oriented model of IPsec policy
designed to:
o facilitate agreement about the content and semantics of IPsec
policy
o enable derivations of task-specific representations of IPsec
policy such as storage schema, distribution representations,
and policy specification languages used to configure IPsec-
enabled endpoints
The schema described in this document models the IKE phase one
parameters as described in [IKE] and the IKE phase two parameters
for the IPsec Domain of Interpretation as described in [COMP, ESP,
AH, DOI]. It is based upon the core policy classes as defined in
the Policy Core Information Model (PCIM) [PCIM].
Jason [Page 1]
Internet Draft IPsec Configuration Policy Model July 2000
Table of Contents
Status of this Memo................................................1
Abstract...........................................................1
Table of Contents..................................................2
1. Introduction....................................................5
2. UML Conventions.................................................5
3. IPsec Policy Model Inheritance Heirarchy........................6
4. Policy Classes..................................................9
4.1. The Class IPsecPolicyGroup....................................9
4.1.1. The Property IKERuleOverridePoint..........................10
4.1.2. The Property IPsecRuleOverridePoint........................10
4.2. The Class SARule.............................................11
4.3. The Class IKERule............................................11
4.4. The Class IPsecRule..........................................11
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........12
4.5.1. The Reference ContainingGroup..............................12
4.5.2. The Reference ContainedGroup...............................12
4.5.3. The Property Precedence....................................12
4.6. The Composition Class RuleForIKENegotiation..................12
4.6.1. The Reference ContainingGroup..............................13
4.6.2. The Reference ContainedRule................................13
4.7. The Composition Class RuleForIPsecNegotiation................13
4.7.1. The Reference ContainingGroup..............................13
4.7.2. The Reference ContainedRule................................13
4.8. The Aggregation Class SAConditionInRule......................14
4.8.1. The Reference ContainingRule...............................14
4.8.2. The Reference ContainedCondition...........................14
4.8.3. The Property SequenceNumber................................14
4.9. The Aggregation Class SAActionInRule.........................14
4.9.1. The Reference ContainingRule...............................15
4.9.2. The Reference ContainedAction..............................15
4.10. The Aggregation Class FallbackSAActionInRule................15
4.10.1. The Reference ContainingRule..............................15
4.10.2. The Reference ContainedAction.............................15
4.10.3. The Property SequenceNumber...............................16
5. Condition and Filter Classes...................................17
5.1. The Class SACondition........................................18
5.1.1. The Property StartupCondition..............................18
5.2. The Class FilterList.........................................18
5.2.1. The Property Name..........................................19
5.2.2. The Property Direction.....................................19
5.3. The Abstract Class FilterEntryBase...........................19
5.3.1. The Property Name..........................................19
5.3.2. The Property IsNegated.....................................19
5.4. The Abstract Class IPFilterEntry.............................20
5.5. The Abstract Class EndpointFilterEntry.......................20
5.5.1. The Property ApplyToDestination............................20
5.6. The Class IPv4AddressFilterEntry.............................20
5.6.1. The Property Address.......................................21
5.7. The Class IPv4RangeFilterEntry...............................21
5.7.1. The Property StartAddress..................................21
5.7.2. The Property EndAddress....................................21
Jason Expires January 2001 [Page 2]
Internet Draft IPsec Configuration Policy Model July 2000
5.8. The Class IPv4SubnetFilterEntry..............................21
5.8.1. The Property Address.......................................22
5.8.2. The Property Mask..........................................22
5.9. The Class IPv6AddressFilterEntry.............................22
5.9.1. The Property Address.......................................22
5.10. The Class IPv6RangeFilterEntry..............................22
5.10.1. The Property StartAddress.................................23
5.10.2. The Property EndAddress...................................23
5.11. The Class IPv6SubnetFilterEntry.............................23
5.11.1. The Property Address......................................23
5.11.2. The Property Mask.........................................24
5.12. The Class FQDNFilterEntry...................................24
5.12.1. The Property Name.........................................24
5.13. The Class ProtocolFilterEntry...............................24
5.13.1. The Property Protocol.....................................24
5.14. The Class UDPFilterEntry....................................25
5.14.1. The Property StartPort....................................25
5.14.2. The Property EndPort......................................25
5.15. The Class TCPFilterEntry....................................25
5.15.1. The Property StartPort....................................26
5.15.2. The Property EndPort......................................26
5.16. The Abstract Class IPSOFilterEntry..........................26
5.17. The Class ClassificationLevelFilterEntry....................26
5.17.1. The Property Level........................................26
5.18. The Class ProtectionAuthorityFilterEntry....................27
5.18.1. The Property Authority....................................27
5.19. The Class CredentialFilterEntry.............................27
5.20. The Aggregation Class FilterOfSACondition...................27
5.20.1. The Reference Antecedent..................................28
5.20.2. The Reference Dependent...................................28
5.21. The Composition Class EntriesInFilterList...................28
5.21.1. The Reference Antecedent..................................28
5.21.2. The Reference Dependent...................................28
5.21.3. The Property EntrySequence................................29
6. Action Classes.................................................30
6.1. The Class SAAction...........................................30
6.2. The Class SAStaticAction.....................................30
6.2.1. The Property LifetimeSeconds...............................31
6.3. The Class IPsecBypassAction..................................31
6.4. The Class IPsecDiscardAction.................................31
6.4.1. The Property DoLogging.....................................32
6.5. The Class IKERejectAction....................................32
6.5.1. The Property DoLogging.....................................32
6.6. The Class SAPreconfiguredAction..............................32
6.7. The Class SANegotiationAction................................33
6.7.1. The Property MinLifetimeSeconds............................33
6.7.2. The Property MinLifetimeKilobytes..........................33
6.7.3. The Property RefreshThresholdSeconds.......................34
6.7.4. The Property RefreshThresholdKilobytes.....................34
6.7.5. The Property IdleDurationSeconds...........................34
6.8. The Class IPsecAction........................................35
6.8.1. The Property UsePFS........................................35
6.8.2. The Property UseIKEGroup...................................35
Jason Expires January 2001 [Page 3]
Internet Draft IPsec Configuration Policy Model July 2000
6.8.3. The Property GroupId.......................................35
6.8.4. The Property Granularity...................................36
6.9. The Class IPsecTransportAction...............................36
6.10. The Class IPsecTunnelAction.................................36
6.10.1. The Property PeerGateway..................................37
6.10.2. The Property DFHandling...................................37
6.11. The Class IKEAction.........................................37
6.11.1. The Property RefreshThresholdDerivedKeys..................37
6.11.2. The Property ExchangeMode.................................38
6.11.3. The Property UseIKEIdentityType...........................38
6.12. The Aggregation Class ContainedProposal.....................38
6.12.1. The Reference GroupComponent..............................39
6.12.2. The Reference PartComponent...............................39
6.12.3. The Property SequenceNumber...............................39
7. Proposal and Transform Classes.................................40
7.1. The Abstract Class SAProposal................................40
7.1.1. The Property Name..........................................40
7.1.2. The Property MaxLifetimeSeconds............................41
7.1.3. The Property MaxLifetimeKilobytes..........................41
7.2. The Class IKEProposal........................................41
7.2.1. The Property LifetimeDerivedKeys...........................41
7.2.2. The Property CipherAlgorithm...............................42
7.2.3. The Property HashAlgorithm.................................42
7.2.4. The Property PRFAlgorithm..................................42
7.2.5. The Property GroupId.......................................43
7.2.6. The Property AuthenticationMethod..........................43
7.3. The Class IPsecProposal......................................43
7.4. The Abstract Class SATransform...............................44
7.4.1. The Property Name..........................................44
7.4.1. The Property VendorID......................................44
7.5. The Class AHTransform........................................44
7.5.1. The Property AHTransformId.................................44
7.6. The Class ESPTransform.......................................45
7.6.1. The Property IntegrityTransformId..........................45
7.6.2. The Property CipherTransformId.............................45
7.6.3. The Property CipherKeyLength...............................46
7.6.4. The Property CipherKeyRounds...............................46
7.7. The Class IPCOMPTransform....................................46
7.7.1. The Property Algorithm.....................................46
7.7.2. The Property DictionarySize................................47
7.7.3. The Property PrivateAlgorithm..............................47
7.8. The Aggregation Class ContainedTransform.....................47
7.8.1. The Reference GroupComponent...............................48
7.8.2. The Reference PartComponent................................48
7.8.3. The Property SequenceNumber................................48
8. Security Considerations........................................48
9. Intellectual Property..........................................48
10. Acknowledgments...............................................49
11. References....................................................49
12. Disclaimer....................................................50
13. Author's Address..............................................50
14. Full Copyright Statement......................................50
Jason Expires January 2001 [Page 4]
Internet Draft IPsec Configuration Policy Model July 2000
1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of
forms as it travels from storage to distribution point to decision
point. At each step, it needs to be represented in a way that is
convenient for the current task. For example, the policy could
exist as, but is not limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
a directory
o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [COPS, COPSPR]
o a text-based policy specification language [SPSL] suitable for
editing by an administrator
o an Extensible Markup Language (XML) document
Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and
semantics of the IPsec policy. The purpose of this document is to
abstract IPsec policy into a task-independent representation that is
not constrained by any particular task-dependent representation.
This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this
document.
o Section 3 provides the inheritance hierarchy which describes
where the IPsec policy classes fit into the policy class
hierarchy already defined by PCIM.
o The remainder of the document describes the classes which make
up the IPsec policy model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS].
2. UML Conventions
For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a graphical, task-
independent way to model systems. A treatise on the graphical
notation used in UML is beyond the scope of this paper. However,
given the use of ASCII drawing for UML static class diagrams, a
description of the notational conventions used in this document is
in order:
o Boxes represent classes, with class names in brackets ([])
representing a virtual class.
Jason Expires January 2001 [Page 5]
Internet Draft IPsec Configuration Policy Model July 2000
o A line that terminates with an arrow (<, >, ^, v) denotes
inheritance. The arrow always points to the parent class.
Inheritance can also be called generalization or specialization
(depending upon the reference point). A base class is a
generalization of a derived class, and a derived class is a
specialization of a base class.
o Associations are used model a relationship between two classes.
Classes that share an association are connected using a line.
There are two special kinds of associations - aggregations and
compositions. Both model a whole-part relationship between two
classes. Associations, and therefore aggregations and
compositions, can also be modeled as classes.
o A line that begins with a "o" denotes aggregation. Aggregation
denotes containment in which the contained class and the
containing class have independent lifetimes.
o A line that begins with an "x" denotes composition. Composition
denotes containment in which the contained class and the
contianing class have coincident lifetimes.
o Next to a line representing an association appears a
multiplicity. Multiplicities indicate the number of objects in
the relationship. The multiplicity may be:
- a range in the form "lower bound..upper bound" indicating the
minimum and maximum number of objects.
- a number that indicates the exact number of objects.
- an asterisk indicating any number of objects, including zero.
Using an asterisk is shorthand for 0..n.
- the letter n indicating from 1 to many. Using the letter n is
shorthand for 1..n.
It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of
following references).
3. IPsec Policy Model Inheritance Heirarchy
The following diagram represents the inheritance hierarchy and how
the IPsec policy model classes fit into PCIM.
[unrooted]
|
+--Policy (PCIM)
| |
| +--PolicyGroup (PCIM)
| | |
| | +--IPsecPolicyGroup (new class)
| |
| +--PolicyRule (PCIM)
| | |
| | +--SARule (new abstract class)
| | |
Jason Expires January 2001 [Page 6]
Internet Draft IPsec Configuration Policy Model July 2000
| | +--IKERule (new class)
| | |
| | +--IPsecRule (new class)
| |
| +--PolicyCondition (PCIM)
| | |
| | +--SACondition (new class)
| |
| +--PolicyAction (PCIM)
| |
| +--SAAction (new abstract class)
| |
| +--SAStaticAction (new abstract class)
| | |
| | +--IPsecBypassAction (new class)
| | |
| | +--IPsecDiscardAction (new class)
| | |
| | +--IKERejectAction (new class)
| | |
| | +--SAPreconfiguredAction (new class)
| |
| +--SANegotiationAction (new abstract class)
| |
| +--IPsecAction (new abstract class)
| | |
| | +--IPsecTransportAction (new class)
| | |
| | +--IPsecTunnelAction (new class)
| |
| +--IKEAction (new abstract class)
|
+--FilterList
|
+--FilterEntryBase
| |
| +--IPFilterEntry (new abstract class)
| | |
| | +--EndpointFilterEntry (new abstract class)
| | | |
| | | +--IPv4AddressFilterEntry (new class)
| | | |
| | | +--IPv4RangeFilterEntry (new class)
| | | |
| | | +--IPv4SubnetFilterEntry (new class)
| | | |
| | | +--IPv6AddressFilterEntry (new class)
| | | |
| | | +--IPv6RangeFilterEntry (new class)
| | | |
| | | +--IPv6SubnetFilterEntry (new class)
| | | |
| | | +--FQDNFilterEntry (new class)
Jason Expires January 2001 [Page 7]
Internet Draft IPsec Configuration Policy Model July 2000
| | |
| | +--PortFilterEntry (new class)
| | |
| | +--ProtocolFilterEntry (new class)
| |
| +--IPSOFilterEntry (new class)
| |
| +--CredentialFilterEntry (new class)
|
+--SAProposal (new abstract class)
| |
| +--IKEProposal (new class)
| |
| +--IPsecProposal (new class)
|
+--SATransform (new abstract class)
|
+--AHTransform (new class)
|
+--ESPTransform (new class)
|
+--IPCOMPTransform (new class)
The following diagram represents the inheritance hierarchy and how
the IPsec policy model association classes fit into PCIM.
[unrooted]
|
+--PolicyGroupInPolicyGroup (PCIM)
| |
| +--IPsecPolicyGroupInPolicyGroup (new class)
|
+--PolicyConditionInPolicyRule (PCIM)
| |
| +--SAConditionInRule (new class)
|
+--FallbackSAActionInRule (new class)
|
+--EntriesInFilterList (new class)
|
+--ContainedProposal (new class)
|
+--IPsecContainedTransform (new class)
Jason Expires January 2001 [Page 8]
Internet Draft IPsec Configuration Policy Model July 2000
4. Policy Classes
The IPsec policy classes represent the set of policies that are
contained on a system.
(a)
+------+
| |*
| *+------------------+
+---o| IPsecPolicyGroup |
+------------------+
1 x x 1
(b) | | (c)
+-----------------------+ +---------------------+
| |
| +---------------------------+ |
| | PolicyTimePeriodCondition | |
| | (defined in [PCIM]) | |
| +---------------------------+ |
| *| |
| | (d) |
| *o |
| +-------------+* *+--------+* 1+----------+ |
| | SACondition |------o| SARule |o-------| SAAction | |
| +-------------+ (e) +--------+ (f) +----------+ |
| ^ |* |
| | +------+ |
| +--------+--------+ | (g) |
| | | *o |
| *+---------+ +-----------+* |
+---------------| IKERule | | IPsecRule |------------+
+---------+ +-----------+
(a) IPsecPolicyGroupInPolicyGroup
(b) RuleForIKENegotiation
(c) RuleForIPsecNegotiation
(d) PolicyRuleValidityPeriod (defined in [PCIM])
(e) SAConditionInRule
(f) SAActionInRule
(g) FallbackSAActionInRule
4.1. The Class IPsecPolicyGroup
The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.
Rules contained within an IPsecPolicyGroup MUST have a unique
Priority value. The class definition for IPsecPolicyGroup is as
follows:
NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
and a set of IPsecRules.
Jason Expires January 2001 [Page 9]
Internet Draft IPsec Configuration Policy Model July 2000
DERIVED FROM PolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup)
IKERuleOverridePoint
IPsecRuleOverridePoint
NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server
may follow all of IPsecPolicyGroupInPolicyGroup associations and
create one policy group which is simply a set of all of the IKE
rules and a set of all of the IPsec rules. See the section on the
IPsecPolicyGroupInPolicyGroup aggregation for information on merging
multiple IPsecPolicyGroups.
4.1.1. The Property IKERuleOverridePoint
This property specifies the rule priority at which the policy author
is willing to allow IKERule insertions by a local administrator.
For example, the IT department may define the policy on a company-
wide basis, but allow groups or individuals to insert rules into the
policy to override defaults. Rules are ordered in decreasing order
of their priority (i.e., higher priorities come first). The
override point specifies that if rules are inserted, they are to be
inserted before all rules equal to or less than the override
priority value.
For example, assume that there is a group G1 with IKE rules as
follows:
G1 = { Rule A (priority 50),
Rule B (priority 25),
Rule C (priority 15) }
The IKE override value for G1 is 20. Now assume that a local
administrator wants to insert a set of IKE rules {Rule D, Rule E}
where Rule D has a higher priority than Rule E. The new rules will
be added before rules in G1 with priority equal to or less than 20.
So, when evaluating rules, the order of evaluation would be A, B, D,
E, C. Note that the priority of the rules in override set are
relative only to the set.
The property is defined as follows:
NAME IKERuleOverridePoint
DESCRIPTION Specifies the rule priority at which the policy author
is willing to allow IKERule insertions by a local
administrator.
SYNTAX unsigned 16-bit integer
4.1.2. The Property IPsecRuleOverridePoint
This property specifies the rule priority at which the policy author
is willing to allow IPsecRule insertions by a local administrator.
Jason Expires January 2001 [Page 10]
Internet Draft IPsec Configuration Policy Model July 2000
This property is the same as IKERuleOverridePoint except it is used
for the IPsec rules in the IPsecPolicyGroup. The property is
defined as follows:
NAME IPsecRuleOverridePoint
DESCRIPTION Specifies the rule priority at which the policy author
is willing to allow IPsecRule insertions by a local
administrator.
SYNTAX unsigned 16-bit integer
4.2. The Class SARule
The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and
actions for both types of rules. Each SARule within a given
IPsecPolicyGroup must contain a unique priority. Through its
derivation from PolicyRule, an SARule (and therefore IKERule and
IPsecRule) also has the PolicyRuleValidityPeriod association. The
class definition for SARule is as follows:
NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule)
ConditionListType (from PolicyRule)
Priority (from PolicyRule)
PolicyRoles (from PolicyRule)
4.3. The Class IKERule
The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows:
NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule
4.4. The Class IPsecRule
The class IPsecRule associates Conditions and Actions for IKE phase
2 negotiations for the IPsec DOI. The class definition for
IPsecRule is as follows:
NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI.
DERIVED FROM SARule
Jason Expires January 2001 [Page 11]
Internet Draft IPsec Configuration Policy Model July 2000
ABSTRACT FALSE
PROPERTIES same as SARule
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup
The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
policies to be combined to into one effective policy. When merging
policies, rule priorities are used in conjunction with the rule
override point values to determine insertion points and for rule
priority renumbering (if necessary to maintain uniqueness). The
class definition for IPsecPolicyGroupInPolicyGroup is as follows:
NAME IPsecPolicyGroupInPolicyGroup
DESCRIPTION Associates a nested IPsecPolicyGroup with the
IPsecPolicyGroup that contains it.
DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES ContainingGroup[ref IPsecPolicyGroup[0..n]]
ContainedGroup[ref IPsecPolicyGroup[0..n]]
Precedence
4.5.1. The Reference ContainingGroup
The property ContainingGroup is inherited from
PolicyGroupInPolicyGroup and is overridden to contain object
reference to an IPsecPolicyGroup that contains one or more
IPsecPolicyGroups. The [0..n] cardinality indicates that there may
be zero or more IPsecPolicyGroups that contain any given
IPsecPolicyGroup.
4.5.2. The Reference ContainedGroup
The property ContainedGroup is inherited from
PolicyGroupInPolicyGroup and is overridden to contain an object
reference to an IPsecPolicyGroup contained by one or more
IPsecPolicyGroups. The [0..n] cardinality indicates that an
IPsecPolicyGroup may contain zero or more IPsecPolicyGroups.
4.5.3. The Property Precedence
The property Precedence specifies the merge ordering of the nested
IPsecPolicyGroups. The property is defined as follows:
NAME Precedence
DESCRIPTION Specifies the merge ordering of the nested
IPsecPolicyGroups.
SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest
precedence). The merging order of two ContainedGroups
with the same precedence is undefined.
4.6. The Composition Class RuleForIKENegotiation
Jason Expires January 2001 [Page 12]
Internet Draft IPsec Configuration Policy Model July 2000
The class RuleForIKENegotiation associates an IKERule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows:
NAME RuleForIKENegotiation
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that
contains it.
ABSTRACT FALSE
PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]]
ContainedRule [ref IKERule [0..n]]
4.6.1. The Reference ContainingGroup
The property ContainingGroup contains an object reference to an
IPsecPolicyGroup that contains one or more IKERules. The [1..1]
cardinality indicates that an IKERule may be contained in only one
IPsecPolicyGroup (i.e., IKERules are not shared across
IPsecPolicyGroups).
4.6.2. The Reference ContainedRule
The property ContainedRule contains an object reference to an
IKERule contained by an IPsecPolicyGroup. The [0..n] cardinality
indicates that an IPsecPolicyGroup may contain zero or more
IKERules.
4.7. The Composition Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIPsecNegotiation is as follows:
NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it.
ABSTRACT FALSE
PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]]
ContainedRule [ref IPsecRule [0..n]]
4.7.1. The Reference ContainingGroup
The property ContainingGroup contains an object reference to an
IPsecPolicyGroup that contains one or more IPsecRules. The [1..1]
cardinality indicates that an IPsecRule may be contained in only one
IPsecPolicyGroup (i.e., IPsecRules are not shared across
IPsecPolicyGroups).
4.7.2. The Reference ContainedRule
The property ContainedRule contains an object reference to an
IPsecRule contained by an IPsecPolicyGroup. The [0..n] cardinality
Jason Expires January 2001 [Page 13]
Internet Draft IPsec Configuration Policy Model July 2000
indicates that an IPsecPolicyGroup may contain zero or more
IPsecRules.
4.8. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the
SACondition instances that trigger it. See [PCIM] for the usage for
the properties GroupNumber and ConditionNegated. The class
definition for SAConditionInRule is as follows:
NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instances
that trigger it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContainedCondition [ref SACondition [0..n]]
GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule)
SequenceNumber
4.8.1. The Reference ContainingRule
The property ContainingRule is inherited from
PolicyConditionInPolicyRule and is overridden to contain an object
reference to an SARule that contains one or more SAConditions. The
[0..n] cardinality indicates that an SACondition may be contained in
zero or more SARules.
4.8.2. The Reference ContainedCondition
The property ContainedCondition is inherited from
PolicyConditionInPolicyRule and is overridden to contain an object
reference to an SACondition that is contained by an SARule. The
[0..n] cardinality indicates that an SARule may contain zero or more
SAConditions.
4.8.3. The Property SequenceNumber
The property SequenceNumber specifies, for a given rule, the order
in which the SACondition instances will be evaluated. The property
is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the evaluation order of the SAConditions.
SYNTAX unsigned 16-bit integer
VALUE Lower valued SAConditions are evaluated first. The
order of evaluation of ContainedConditions with the
same SequenceNumber value is undefined.
4.9. The Aggregation Class SAActionInRule
Jason Expires January 2001 [Page 14]
Internet Draft IPsec Configuration Policy Model July 2000
The SAActionInRule class associates an SARule with its primary
SAAction. The class definition for SAActionInRule is as follows:
NAME SAActionInRule
DESCRIPTION Associates an SARule with its primary SAAction.
DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContainedAction [ref SAAction [1..1]]
4.9.1. The Reference ContainingRule
The property ContainingRule is inherited from
PolicyActionInPolicyRule and is overridden to contain an object
reference to an SARule that contains an SAAction. The [0..n]
cardinality indicates that an SAAction may be contained in zero or
more SARules.
4.9.2. The Reference ContainedAction
The property ContainedAction is inherited from
PolicyActionInPolicyRule and is overridden to contain an object
reference to an SAAction that is contained by an SARule. The [1..1]
cardinality indicates that an SARule may contain only one SAAction.
4.10. The Aggregation Class FallbackSAActionInRule
The class FallbackSAActionInRule associates an SARule with its
ordered set of fallback actions. Fallback actions allow an
administrator to define what action is to be take if the SAAction
referenced by SAActionInRule fails for any reason. The class
definition for FallbackSAActionInRule is as follows:
NAME FallbackSAActionInRule
DESCRIPTION Associates an SARule with the ordered set of fallback
actions that should be attempted/applied in the case of
failure of the primary SAAction.
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContaintedAction [ref SAAction [0..n]]
SequenceNumber
4.10.1. The Reference ContainingRule
The property ContainingRule contains an object reference to an
SARule that contains one or more fallback SAActions. The [0..n]
cardinality indicates that an fallback SAAction may be contained in
zero or more SARules.
4.10.2. The Reference ContainedAction
The property ContainedAction contains an object reference to a
fallback SAAction that is contained by one or more SARules. The
Jason Expires January 2001 [Page 15]
Internet Draft IPsec Configuration Policy Model July 2000
[0..n] cardinality indicates that an SARule may contain zero or more
fallback SAActions.
4.10.3. The Property SequenceNumber
The property SequenceNumber specifies, for a given rule, the order
in which the fallback SAActions should be attempted. Once a
fallback SAAction is successfully applied, then subsequent fallback
SAActions should be ignored. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the order of attempted application for the
fallback SAAction.
SYNTAX unsigned 16-bit integer
VALUE Lower valued fallback SAActions are attempted first.
The order of attempt of ContainedActions with the same
SequenceNumber value is undefined.
Jason Expires January 2001 [Page 16]
Internet Draft IPsec Configuration Policy Model July 2000
5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules.
+-------------+* 0..1+------------+1 *+-------------------+
| SACondition |o--------| FilterList |x--------| [FilterEntryBase] |
+-------------+ (a) +------------+ (b) +-------------------+
^
|
+---------------------+------------------------+
| | |
+-----------------+ +-------------------+ +-----------------------+
| [IPFilterEntry] | | [IPSOFilterEntry] | | CredentialFilterEntry |
+-----------------+ +-------------------+ +-----------------------+
^ ^
| |
| +-------------------+
| |
| | +--------------------------------+
| +-| ClassificationLevelFilterEntry |
| | +--------------------------------+
| |
| | +--------------------------------+
| +-| ProtectionAuthorityFilterEntry |
| +--------------------------------+
|
+-----------------------------------------------+
| |
+-----------------------+ +--------------------+
| [EndpointFilterEntry] | |ProtocolFilterEntry |
+-----------------------+ +--------------------+
^ ^
| +----------------+ |
+----------------------+ | UDPFilterEntry |--+
| +----------------+ |
| |
+-----------------+ | +----------------+ |
| FQDNFilterEntry |----+ | TCPFilterEntry |--+
+-----------------+ | +----------------+
|
+------------------------+ | +------------------------+
| IPv4AddressFilterEntry |----+----| IPv6AddressFilterEntry |
+------------------------+ | +------------------------+
|
+----------------------+ | +----------------------+
| IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry |
+----------------------+ | +----------------------+
|
+-----------------------+ | +-----------------------+
| IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry |
+-----------------------+ +-----------------------+
Jason Expires January 2001 [Page 17]
Internet Draft IPsec Configuration Policy Model July 2000
(a) FilterOfSACondition
(b) EntriesInFilterList
5.1. The Class SACondition
The class SACondition defines the preconditions for IKE and IPsec
negotiations. The class definition for SACondition is as follows:
NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations.
DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition)
StartupCondition
5.1.1. The Property StartupCondition
This property specifies the triggering event that caused the rule
evaluation. The property is defined as follows:
NAME StartupCondition
DESCRIPTION Specifies the triggering event that cause the rule to
be evaluated.
SYNTAX unsigned 16-bit integer
VALUE 1 (OnBoot) - the rule is triggered after system boot.
The FilterList associated with the SACondition contains
the information that will be used to build the
selectors.
2 (OnManual) - the rule is triggered manually in
response to user input. The FilterList associated with
the SACondition contains the information that will be
used to build the selectors.
3 (OnDataTraffic) - the rule is triggered when packets
without associated security associations are sent or
received (traffic directionality is indicated by the
Direction field of the associated FilterList).
4 (OnIKEMessage) - the rule is triggered when an
incoming request for IKE negotiation is received.
5.2. The Class FilterList
The class FilterList aggregates an ANDed set of filters that are
used for determining when an SACondition evaluates to true and
therefore its associated SAAction should be performed. The class
definition for FilterList is as follows:
NAME FilterList
DESCRIPTION Aggregates a set of filters for condition matching.
ABSTRACT FALSE
PROPERTIES Name
Direction
Jason Expires January 2001 [Page 18]
Internet Draft IPsec Configuration Policy Model July 2000
5.2.1. The Property Name
This property specifies a user-friendly name for the FilterList.
The property is defined as follows:
NAME Name
DESCRIPTION Specifies the user-friendly name for the FilterList.
SYNTAX string
5.2.2. The Property Direction
This property specifies whether or the FilterList will be used on
incoming, outgoing, or bi-directional traffic. Direction is only
useful for filter types that inspect traffic parameters and when the
StartupCondition property in the SACondition is set to OnDataTraffic
(3). The property is defined as follows:
NAME Direction
DESCRIPTION Specifies what kind of traffic will be checked -
incoming, outgoing, or bi-directional.
SYNTAX unsigned 16-bit integer
VALUE 1 - Incoming
2 - Outgoing
3 - Bi-directional
5.3. The Abstract Class FilterEntryBase
The abstract class FilterEntryBase serves as the base class for the
specific filter class. The class definition for FilterEntryBase is
as follows:
NAME FilterEntryBase
DESCRIPTION Serves as the base class for specific filter classes.
ABSTRACT TRUE
PROPERTIES Name
IsNegated
5.3.1. The Property Name
This property specifies a user-friendly name for the filter. The
property is defined as follows:
NAME Name
DESCRIPTION Specifies the user-friendly name for the filter.
SYNTAX string
5.3.2. The Property IsNegated
This property specifies whether or not the result of the boolean
result of the filter evaluation should be negated. The property is
defined as follows:
NAME IsNegated
Jason Expires January 2001 [Page 19]
Internet Draft IPsec Configuration Policy Model July 2000
DESCRIPTION Specifies whether or not to negate the result of the
evaluation of the filter.
SYNTAX boolean
VALUE A value of true means that the boolean result of the
filter evaluation of the filter will be negated. A
value of false means that the boolean result of the
evaluation of the filter will not be altered.
5.4. The Abstract Class IPFilterEntry
The abstract class IPFilterEntry serves as a base class for filter
entries which are used to match against the 5-tuple (i.e., source
and destination address, protocol, and source and destination port)
information in the IP packet. The class definition for
IPFilterEntry is as follows:
NAME IPFilterEntry
DESCRIPTION Serves as the base class for IP 5-tuple filters.
DERIVED FROM FilterEntryBase
ABSTRACT TRUE
5.5. The Abstract Class EndpointFilterEntry
The abstract class EndpointFilterEntry serves as a base class for
filters which match against IP addresses (source or destination).
The class definition for EndpointFilterEntry is as follows:
NAME EndpointFilterEntry
DESCRIPTION Serves as the base class for filters which match
against IP addresses.
DERIVED FROM IPFilterEntry
ABSTRACT TRUE
PROPERTIES ApplyToDestination
5.5.1. The Property ApplyToDestination
This property specifies whether or not the address to test against
is the source or the destination IP address. The property is
defined as follows:
NAME ApplyToDestination
DESCRIPTION Specifies which IP address to test, source or
destination.
SYNTAX boolean
VALUE A value of true means that the destination IP address
should be tested against. A value of false means that
the source IP address should be tested against.
5.6. The Class IPv4AddressFilterEntry
The class IPv4AddressFilterEntry specifies a filter that will match
against a single IPv4 address. The class definition for
IPv4AddressFilterEntry is as follows:
Jason Expires January 2001 [Page 20]
Internet Draft IPsec Configuration Policy Model July 2000
NAME IPv4AddressFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
5.6.1. The Property Address
This property specifies the IPv4 address that will be used in the
equality test. The property is defined as follows:
NAME Address
DESCRIPTION Specifies the IPv4 address to match against.
SYNTAX unsigned 32-bit integer
5.7. The Class IPv4RangeFilterEntry
The class IPv4RangeFilterEntry specifies a filter for testing if an
IPv4 address is between the start address and end address
inclusively. The class definition for IPv4RangeFilterEntry is as
follows:
NAME IPv4RangeFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address range.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES StartAddress
EndAddress
5.7.1. The Property StartAddress
This property specifies the first IPv4 address in the address range.
The property is defined as follows:
NAME StartAddress
DESCRIPTION Specifies the start of the IPv4 address range.
SYNTAX unsigned 32-bit integer
5.7.2. The Property EndAddress
This property specifies the last IPv4 address in the address range.
The property is defined as follows:
NAME EndAddress
DESCRIPTION Specifies the end of the IPv4 address.
SYNTAX unsigned 32-bit integer
VALUE EndAddress must be greater than or equal to
StartAddress.
5.8. The Class IPv4SubnetFilterEntry
Jason Expires January 2001 [Page 21]
Internet Draft IPsec Configuration Policy Model July 2000
The class IPv4SubnetFilterEntry specifies a filter for testing if an
IPv4 address is in the specified subnet. The class definition for
IPv4SubnetFilterEntry is as follows:
NAME IPv4SubnetFilterEntry
DESCRIPTION Defines the match filter for an IPv4 subnet.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
Mask
5.8.1. The Property Address
This property specifies the IPv4 subnet. The property is defined as
follows:
NAME Address
DESCRIPTION Specifies the IPv4 subnet.
SYNTAX unsigned 32-bit integer
5.8.2. The Property Mask
This property specifies the IPv4 mask. The property is defined as
follows:
NAME Mask
DESCRIPTION Specifies the IPv4 mask.
SYNTAX unsigned 32-bit integer
VALUE A special value of 0.0.0.0, coupled with an Address
value of 0.0.0.0 can be used to specify all addresses.
5.9. The Class IPv6AddressFilterEntry
The class IPv6AddressFilterEntry specifies a filter that will match
against a single IPv6 address. The class definition for
IPv6AddressFilterEntry is as follows:
NAME IPv6AddressFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
5.9.1. The Property Address
This property specifies the IPv6 address that will be used in the
equality test. The property is defined as follows:
NAME Address
DESCRIPTION Specifies the IPv6 address to match against.
SYNTAX byte[16]
5.10. The Class IPv6RangeFilterEntry
Jason Expires January 2001 [Page 22]
Internet Draft IPsec Configuration Policy Model July 2000
The class IPv6RangeFilterEntry specifies a filter for testing if an
IPv6 address is between the start address and end address
inclusively. The class definition for IPv6RangeFilterEntry is as
follows:
NAME IPv6RangeFilterEntry
DESCRIPTION Defines the match filter for an IPv6 address range.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES StartAddress
EndAddress
5.10.1. The Property StartAddress
This property specifies the first IPv6 address in the address range.
The property is defined as follows:
NAME StartAddress
DESCRIPTION Specifies the start of the IPv6 address range.
SYNTAX byte[16]
5.10.2. The Property EndAddress
This property specifies the last IPv6 address in the address range.
The property is defined as follows:
NAME EndAddress
DESCRIPTION Specifies the end of the IPv6 address.
SYNTAX byte[16]
VALUE EndAddress must be greater than or equal to
StartAddress.
5.11. The Class IPv6SubnetFilterEntry
The class IPv6SubnetFilterEntry specifies a filter for testing if an
IPv6 address is in the specified subnet. The class definition for
IPv4SubnetFilterEntry is as follows:
NAME IPv6SubnetFilterEntry
DESCRIPTION Defines the match filter for an IPv6 subnet.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
Mask
5.11.1. The Property Address
This property specifies the IPv6 subnet. The property is defined as
follows:
NAME Address
DESCRIPTION Specifies the IPv6 subnet.
Jason Expires January 2001 [Page 23]
Internet Draft IPsec Configuration Policy Model July 2000
SYNTAX byte[16]
5.11.2. The Property Mask
This property specifies the IPv6 mask. The property is defined as
follows:
NAME Mask
DESCRIPTION Specifies the IPv6 mask.
SYNTAX byte[16]
VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0,
coupled with an Address value of
0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify
all addresses.
5.12. The Class FQDNFilterEntry
The class FQDNFilterEntry specifies a filter for mathcing against a
single or wild-carded DNS name. The class definition for
FQDNFilterEntry is as follows:
NAME FQDNFilterEntry
DESCRIPTION Defines the match filter for a DNS name.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Name
5.12.1. The Property Name
This property specifies the DNS name to match against. The property
is defined as follows:
NAME Address
DESCRIPTION Specifies the DNS name.
SYNTAX string
VALUE The DNS name can be fully qualified (for example,
foo.intel.com) or partially qualified (*.intel.com).
5.13. The Class ProtocolFilterEntry
The class ProtocolFilterEntry specifies a filter for testing against
an IP protocol. The class definition for ProtocolFilterEntry is as
follows:
NAME ProtocolFilterEntry
DESCRIPTION Defines a match filter for IP protocol.
DERIVED FROM IPFilterEntry
ABSTRACT FALSE
PROPERTIES Protocol
5.13.1. The Property Protocol
Jason Expires January 2001 [Page 24]
Internet Draft IPsec Configuration Policy Model July 2000
This property specifies the IP protocol to match against. The
property is defined as follows:
NAME Protocol
DESCRIPTION Specifies the IP protocol.
SYNTAX unsigned 8-bit integer
VALUE A value of zero matches against any protocol. Any
other value is the IP protocol number.
5.14. The Class UDPFilterEntry
The class UDPFilterEntry specifies a filter for testing if a UDP
port is between the start port and end port inclusively. It is
assumed that the Protocol property from the ProtocolFilterEntry
class will contain the value 17 (i.e., UDP). The class definition
for UDPFilterEntry is as follows:
NAME UDPFilterEntry
DESCRIPTION Defines the match filter for a UDP port range.
DERIVED FROM ProtocolFilterEntry
ABSTRACT FALSE
PROPERTIES StartPort
EndPort
5.14.1. The Property StartPort
This property specifies the first port in the UDP port range. The
property is defined as follows:
NAME StartPort
DESCRIPTION Specifies the start of the UDP port range.
SYNTAX unsigned 16-bit integer
5.14.2. The Property EndPort
This property specifies the last port in the UDP port range. The
property is defined as follows:
NAME EndPort
DESCRIPTION Specifies the end of the UDP port range.
SYNTAX unsigned 16-bit integer
VALUE EndPort must be greater than or equal to StartPort.
5.15. The Class TCPFilterEntry
The class TCPFilterEntry specifies a filter for testing if a TCP
port is between the start port and end port inclusively. It is
assumed that the Protocol property from the ProtocolFilterEntry
class will contain the value 6 (i.e., TCP). The class definition
for TCPFilterEntry is as follows:
NAME TCPFilterEntry
DESCRIPTION Defines the match filter for a TCP port range.
Jason Expires January 2001 [Page 25]
Internet Draft IPsec Configuration Policy Model July 2000
DERIVED FROM ProtocolFilterEntry
ABSTRACT FALSE
PROPERTIES StartPort
EndPort
5.15.1. The Property StartPort
This property specifies the first port in the TCP port range. The
property is defined as follows:
NAME StartPort
DESCRIPTION Specifies the start of the TCP port range.
SYNTAX unsigned 16-bit integer
5.15.2. The Property EndPort
This property specifies the last port in the TCP port range. The
property is defined as follows:
NAME EndPort
DESCRIPTION Specifies the end of the TCP port range.
SYNTAX unsigned 16-bit integer
VALUE EndPort must be greater than or equal to StartPort.
5.16. The Abstract Class IPSOFilterEntry
The abstract class IPSOFilterEntry serves as a base class for the IP
Security Option (IPSO) filters. The class definition for
IPSOFilterEntry is as follows:
NAME IPSOFilterEntry
DESCRIPTION Serves as the base class for the IPSO filters.
DERIVED FROM FilterEntryBase
ABSTRACT TRUE
5.17. The Class ClassificationLevelFilterEntry
The class ClassificationLevelFilterEntry specifies a filter for
matching against the classification level IPSO field type. The
class definition for ClassificationLevelFilterEntry is as follows:
NAME ClassificationLevelFilterEntry
DESCRIPTION Defines the filter for the IPSO classification level.
DERIVED FROM IPSOFilterEntry
ABSTRACT FALSE
PROPERTIES Level
5.17.1. The Property Level
This property specifies the classification level to match against.
The property is defined as follows:
NAME Level
Jason Expires January 2001 [Page 26]
Internet Draft IPsec Configuration Policy Model July 2000
DESCRIPTION Specifies the classification level.
SYNTAX unsigned 16-bit integer
VALUE 61 - Top Secret
90 - Secret
150 - Confidential
171 - Unclassified
5.18. The Class ProtectionAuthorityFilterEntry
The class ProtectionAuthorityFilterEntry specifies a filter for
matching against the protection authority IPSO field type. The class
definition for ProtectionAuthorityFilterEntry is as follows:
NAME ProtectionAuthorityFilterEntry
DESCRIPTION Defines the filter for the IPSO protection authority.
DERIVED FROM IPSOFilterEntry
ABSTRACT FALSE
PROPERTIES Authority
5.18.1. The Property Authority
This property specifies the protection authority to match against.
The property is defined as follows:
NAME Authority
DESCRIPTION Specifies the protection authority.
SYNTAX unsigned 16-bit integer
VALUE 0 - GENSER
1 - SIOP-ESI
2 - SCI
3 - NSA
4 - DOE
5.19. The Class CredentialFilterEntry
The class CredentialFilterEntry defines a filter for matching
against credential information that was obtained during the IKE
phase 1 negotiation. This information can be identity information
(such as User FQDN) or information retrieved from credential
information (for example, fields from a certificate). This
information can be used as a form of access control. The class
definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry
DESCRIPTION Defines the filter for matching against IKE phase 1
credential/identity information.
DERIVED FROM FilterBaseEntry
ABSTRACT FALSE
PROPERTIES To Be Determined...
5.20. The Aggregation Class FilterOfSACondition
Jason Expires January 2001 [Page 27]
Internet Draft IPsec Configuration Policy Model July 2000
The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make
up the individual condition elements.
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[0..1]]
Dependent [ref SACondition [0..n]]
5.20.1. The Reference Antecedent
The property Antecedent contains an object reference to a FilterList
that is contained in one or more SAConditions. The [0..1]
cardinality indicates that an SACondition may have zero or one
FilterList.
5.20.2. The Reference Dependent
The property Dependent contains an object reference to an
SACondition that contains an FilterList. The [0..n] cardinality
indicates that a FilterList may be contained in zero or more
SAConditions.
5.21. The Composition Class EntriesInFilterList
The class EntriesInFilterList associates the individual
FilterEntryBases with a FilterList. Together these individual
FilterEntryBases can create complex conditions. The class
definition for EntriesInFilterList is as follows:
NAME EntriesInFilterList
DESCRIPTION Associates a FilterList with the set of individual
filters.
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterEntryBase[0..n]]
Dependent [ref FilterList [1..1]]
EntrySequence
5.21.1. The Reference Antecedent
The property Antecedent contains an object reference to a
FilterEntryBase that is contained in a FilterList. The [0..n]
cardinality indicates that a FilterList may have zero or more
FilterEntryBases.
5.21.2. The Reference Dependent
The property Dependent contains an object reference to a FilterList
that contains zero or more FilterEntryBases. The [1..1] cardinality
indicates that a FilterEntryBase may be contained in one and only
Jason Expires January 2001 [Page 28]
Internet Draft IPsec Configuration Policy Model July 2000
one FilterLists (i.e., FilterEntryBases cannot be shared between
FilterLists).
5.21.3. The Property EntrySequence
The property EntrySequence specifies, for a given FilterList, the
order in which the filters should be checked. The property is
defined as follows:
NAME EntrySequence
DESCRIPTION Specifies the order to check the filters in a
FilterList.
SYNTAX unsigned 16-bit integer
VALUE Lower valued filters are checked first. The order of
checking of FilterEntryBases with the same
EntrySequence value is undefined.
Jason Expires January 2001 [Page 29]
Internet Draft IPsec Configuration Policy Model July 2000
6. Action Classes
The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition
results in a match.
+----------+
| SAAction |
+----------+
^
|
+-----------+--------------+
| |
+----------------+ +---------------------+*
| SAStaticAction | | SANegotiationAction |o-----+
+----------------+ +---------------------+ |
^ ^ |
| | |
| +-----------+-------+ |
| | | |
+-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ |
| ^ |
+--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ |
| | |
+-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ |
| |
+-----------------------+ | +--------------+n |
| SAPreconfiguredAction |---+ | [SAProposal] |-------+
+-----------------------+ +--------------+ (a)
(a) ContainedProposal
6.1. The Class SAAction
The class SAAction serves as the base class for IKE and IPsec
actions. Although the class is concrete, it MUST not be
instantiated. The class definition for SAAction is as follows:
NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyActionName (from PolicyAction)
6.2. The Class SAStaticAction
Jason Expires January 2001 [Page 30]
Internet Draft IPsec Configuration Policy Model July 2000
The class SAStaticAction serves as the base class for IKE and IPsec
actions that do not require any negotation. Although the class is
concrete, it MUST not be instantiated. The class definition for
SAStaticAction is as follows:
NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation.
DERIVED FROM SAAction
ABSTRACT FALSE
PROPERTIES LifetimeSeconds
6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security
association derived from this action should be used. The property
is defined as follows:
NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be
used.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A nono-zero value is typically used in conjunction with
fallback actions performed when there is a negotiation
failure of some sort.
6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec to them. This is the same as
stating that packets are allowed to flow in the clear. The class
definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the
clear.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.4. The Class IPsecDiscardAction
The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows:
NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
PROPERTIES DoLogging
Jason Expires January 2001 [Page 31]
Internet Draft IPsec Configuration Policy Model July 2000
6.4.1. The Property DoLogging
The property DoLogging specifies whether or not an audit message
should be logged when a packet is discarded. The property is
defined as follows:
NAME DoLogging
DESCRIPTION Specifies if an audit message should be logged when a
packet is discarded.
SYNTAX boolean
VALUE A value of true indicates that logging should be done
for this action. A value of false indicates logging
should not be done for this action.
6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE
negotiation with the peer(s). The class definition for
IKERejectAction is as follows:
NAME IKERejectAction
DESCRIPTION Specifies that an IKE negotiation should not even be
attempted.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
PROPERTIES DoLogging
6.5.1. The Property DoLogging
The property DoLogging specifies whether or not an audit message
should be logged when a determination is made to prevent an IKE
negotiation. The property is defined as follows:
NAME DoLogging
DESCRIPTION Specifies if an audit message should be logged when IKE
negotiation is prohibited.
SYNTAX boolean
VALUE A value of true indicates that logging should be done
for this action. A value of false indicates logging
should not be done for this action.
6.6. The Class SAPreconfiguredAction
The class SAPreconfiguredAction is used to create a security
association using preconfigured, hard-wired algorithms and keys.
The class definition for SAPreconfiguredAction is as follows:
NAME SAPreconfiguredAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of a security association.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
Jason Expires January 2001 [Page 32]
Internet Draft IPsec Configuration Policy Model July 2000
PROPERTIES To Be Determined...
6.7. The Class SANegotiationAction
The class SANegotiationAction serves as the base class for IKE and
IPsec actions which result in a IKE negotiation. Although the class
is concrete, is MUST not be instantiated. The class definition for
SANegotiationAction is as follows:
NAME SANegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations.
DERIVED FROM SAAction
ABSTRACT FALSE
PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes
RefreshThresholdSeconds
RefreshThresholdKilobytes
IdleDurationSeconds
6.7.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The
property is defined as follows:
NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds
lifetime.
6.7.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobyte
lifetime that will be accepted from the peer. MinLifetimeKilobytes
is used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The
property is defined as follows:
NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum acceptable kilobyte lifetime.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum kilobyte
lifetime.
Jason Expires January 2001 [Page 33]
Internet Draft IPsec Configuration Policy Model July 2000
6.7.3. The Property RefreshThresholdSeconds
The property RefreshThresholdSeconds specifies what percentage of
the seconds lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x seconds lifetime) to
reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows:
NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the IPsec security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security
association should not be renegotiated until the
seconds lifetime has been reached.
6.7.4. The Property RefreshThresholdKilobytes
The property RefreshThresholdKilobytes specifies what percentage of
the kilobyte lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows:
NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of kilobyte lifetime that has
expired before the IPsec security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security
association should not be renegotiated until the
kilobyte lifetime has been reached.
6.7.5. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property
is defined as follows:
NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should
not be used for the security association. Any non-zero
Jason Expires January 2001 [Page 34]
Internet Draft IPsec Configuration Policy Model July 2000
value indicates the number of seconds the security
association may remain unused.
6.8. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is
MUST not be instantiated. The class definition for IPsecAction is
as follows:
NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions
that specifies the parameters for IKE phase 2 IPsec DOI
negotiations.
DERIVED FROM SANegotiationAction
ABSTRACT FALSE
PROPERTIES UsePFS
UseIKEGroup
GroupId
Granularity
6.8.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as
follows:
NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS.
SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used.
6.8.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use
the same Diffie-Hellman as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows:
NAME UseIKEGroup
DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored.
SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false
indicates that the property GroupId will contain the
Diffie-Hellman group to use for phase 2.
6.8.3. The Property GroupId
Jason Expires January 2001 [Page 35]
Internet Draft IPsec Configuration Policy Model July 2000
The property GroupId specifies the Diffie-Hellman group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is
true. The property is defined as follows:
NAME GroupId
DESCRIPTION Specifies the Diffie-Hellman group to use for phase 2
when the property UsePFS is true and the property
UseIKEGroup is false.
SYNTAX unsigned 16-bit integer
VALUE 1 - 768-bit MODP group
2 - 1024-bit MODP group
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
6.8.4. The Property Granularity
The property Granularity specifies whether the proposed selector for
the security association should be derived from the traffic that
triggered the negotiation (Narrow) or from the FilterList of the
Condition(s) that matched the rule (Wide). The property is defined
as follows:
NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the
security association will be created.
SYNTAX unsigned 8-bit integer
VALUE 1 - The selector is created by using the FilterList
information from the condition that matched the traffic
parameters. This is called a Wide selector as it could
for instance contain a IP subnet or range.
2 - The selector is created by using the traffic
parameters (i.e., the 5-tuple of the traffic). This is
called a Narrow selector.
6.9. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is
used to specify use of an IPsec transport mode security association.
The class definition for IPsecTransportAction is as follows:
NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
6.10. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is
used to specify use of an IPsec tunnel mode security association.
The class definition for IPsecTunnelAction is as follows:
Jason Expires January 2001 [Page 36]
Internet Draft IPsec Configuration Policy Model July 2000
NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
PROPERTIES PeerGateway
DFHandling
6.10.1. The Property PeerGateway
The property PeerGateway specifies the IP address or DNS name of the
peer gateway. The property is defined as follows:
NAME PeerGateway
DESCRIPTION Specifies peer gateway's IP address or DNS name.
SYNTAX string
VALUE Either (1) IPv4 address in dotted quad format, (2) IPv6
address in ... format, or (3) a DNS name.
6.10.2. The Property DFHandling
The property DFHandling specifies how the Don't Fragment (DF) bit
should be managed by the tunnel. The property is defined as
follows:
NAME DFHandling
DESCRIPTION Specifies the DF bit is managed by the tunnel.
SYNTAX unsigned 8-bit integer
VALUE 1 - DF bit is copied.
2 - DF bit is set.
3 - DF bit is cleared.
6.11. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as
follows:
NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM SANegotiationAction
ABSTRACT FALSE
PROPERTIES RefreshThresholdDerivedKeys
ExchangeMode
UseIKEIdentityType
6.11.1. The Property RefreshThresholdDerivedKeys
The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to
Jason Expires January 2001 [Page 37]
Internet Draft IPsec Configuration Policy Model July 2000
the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows:
NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the
derived key limit has been reached.
6.11.2. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used
for IKE phase 1 key negotiations. The property is defined as
follows:
NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer
VALUE 1 - base mode
2 - main mode
4 - aggressive mode
6.11.3. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is
used in conjunction the IKE identities available on the system. The
property is defined as follows:
NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.12. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of
SAProposals with the SANegotiationAction that contains it. If the
Jason Expires January 2001 [Page 38]
Internet Draft IPsec Configuration Policy Model July 2000
referenced SANegotiationAction object is an IKEAction, then the
referenced SAProposal object must be an IKEProposal. If the
referenced SANegotiationAction object is an IPsecTransportAction or
an IPsecTunnelAction, then the referenced SAProposal object must be
an IPsecProposal. The class definition for ContainedProposal is as
follows:
NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an
SANegotiationAction.
ABSTRACT FALSE
PROPERTIES GroupComponent[ref SANegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]]
SequenceNumber
6.12.1. The Reference GroupComponent
The property GroupComponent contains an object reference to an
SANegotiationAction that contains one or more SAProposals. The
[0..n] cardinality indicates that there may be zero or more
SANegotiationActions that contain any given SAProposal.
6.12.2. The Reference PartComponent
The property PartComponent contains an object reference to an
SAProposal contained by one or more SANegotiationActions. The
[1..n] cardinality indicates that an SANegotiationAction MUST
contain at least one SAProposal.
6.12.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for
the SAProposals. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals
with higher values. If two proposals have the same
SequenceNumber value, then the order of preference is
undefined.
Jason Expires January 2001 [Page 39]
Internet Draft IPsec Configuration Policy Model July 2000
7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+
| [SAProposal] |
+--------------+
^
|
+----------------------+
| |
+-------------+ +---------------+
| IKEProposal | | IPsecProposal |
+-------------+ +---------------+
*o
| (a)
n|
+---------------+
| [SATransform] |
+---------------+
^
|
+--------------------+-----------+---------+
| | |
+-------------+ +--------------+ +----------------+
| AHTransform | | ESPTransform | |IPCOMPTransform |
+-------------+ +--------------+ +----------------+
(a) ContainedTransform
7.1. The Abstract Class SAProposal
The abstract class SAProposal serves as the base class for the IKE
and IPsec proposal classes. It specifies the parameters that are
common to the two proposal types. The class definition for
SAProposal is as follows:
NAME SAProposal
DESCRIPTION Specifies the common proposal parameters for IKE and
IPsec security association negotiation.
ABSTRACT TRUE
PROPERTIES Name
MaxLifetimeSeconds
MaxLifetimeKilobytes
7.1.1. The Property Name
The property Name specifies a user-friendly name for the SAProposal.
The property is defined as follows:
NAME Name
DESCRIPTION Specifies a user-friendly name for this proposal.
Jason Expires January 2001 [Page 40]
Internet Draft IPsec Configuration Policy Model July 2000
SYNTAX string
7.1.2. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.1.3. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.2. The Class IKEProposal
The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition
for IKEProposal is as follows:
NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
PROPERTIES LifetimeDerivedKeys
CipherAlgorithm
HashAlgorithm
PRFAlgorithm
GroupId
AuthenticationMethod
7.2.1. The Property LifetimeDerivedKeys
The property LifetimeDerivedKeys specifies the number of times that
a phase 1 key will be used to derive a phase 2 key before the phase
1 security association needs renegotiated. Even though this is not
Jason Expires January 2001 [Page 41]
Internet Draft IPsec Configuration Policy Model July 2000
a parameter that is sent in an IKE proposal, it is included in the
proposal as the number of keys derived may be a result of the
strength of the algorithms in the IKE propsoal. The property is
defined as follows:
NAME LifetimeDerivedKeys
DESCRIPTION Specifies the number of phase 2 keys that can be
derived from the phase 1 key.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no limit to the
number of phase 2 keys which may be derived from the
phase 1 key; instead the seconds and/or kilobytes
lifetime will dictate the phase 1 rekeying. A non-zero
value specifies the number of phase 2 keys that can be
derived from the phase 1 key.
7.2.2. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as
follows:
NAME CipherAlgorithm
DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE 1 - DES-CBC
2 - IDEA-CBC
3 - Blowfish-CBC
4 - RC5-R16-B64-CBC
5 - 3DES-CBC
6 - CAST-CBC
7.2.3. The Property HashAlgorithm
The property HashAlgorithm specifies the proposed phase 1 security
assocation hash algorithm. The property is defined as follows:
NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association.
SYNTAX unsigned 16-bit integer
VALUE 1 - MD5
2 - SHA-1
3 - Tiger
7.2.4. The Property PRFAlgorithm
The property PRFAlgorithm specifies the proposed phase 1 security
association psuedo-random function. The property is defined as
follows:
NAME PRFAlgorithm
Jason Expires January 2001 [Page 42]
Internet Draft IPsec Configuration Policy Model July 2000
DESCRIPTION Specifies the proposed psuedo-random function for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE Currently none defined.
7.2.5. The Property GroupId
The property GroupId specifies the proposed phase 1 security
assocation Diffie-Hellman group. The property is defined as
follows:
NAME GroupId
DESCRIPTION Specifies the proposed Diffie-Hellman group for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE 1 - 768-bit MODP group
2 - 1024-bit MODP group
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
7.2.6. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows:
NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE 0 - a special value which indicates that this
particular proposal should be repeated once for each
authentication method that corresponds to the
credentials installed on the machine. For example, if
the system has a pre-shared key and a certificate, a
proposal list could be constructed which includes a
proposal that specifies pre-shared key and proposals
for any of the public-key authentication methods.
1 - Pre-shared key
2 - DSS signatures
3 - RSA signatures
4 - Encryption with RSA
5 - Revised encryption with RSA
6 - Kerberos (has this number been assigned???)
7.3. The Class IPsecProposal
The class IPsecProposal adds no new properties, but inherits
proposal propoerties from SAProposal as well as aggregating the
security association transforms necessary for building an IPsec
proposal (see the aggregation class ContainedTransform). The class
definition for IPsecProposal is as follows:
Jason Expires January 2001 [Page 43]
Internet Draft IPsec Configuration Policy Model July 2000
NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the
IPsec transforms that can be used to compose an IPsec proposal. The
class definition for SATransform is as follows:
NAME SATransform
DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE
PROPERTIES Name
VendorID
7.4.1. The Property Name
The property Name specifies a user-friendly name for the
SATransform. The property is defined as follows:
NAME Name
DESCRIPTION Specifies a user-friendly name for this transform.
SYNTAX string
7.4.1. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string
VALUE An empty VendorID string indicates that the transform
is one of the previously-defined ones.
7.5. The Class AHTransform
The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for
AHTransform is as follows:
NAME AHTransform
DESCRIPTION Specifies the AH algorithm to propose.
ABSTRACT FALSE
PROPERTIES AHTransformId
7.5.1. The Property AHTransformId
The property AHTransformId specifies the transform ID of the AH
algorithm to propose. The property is defined as follows:
Jason Expires January 2001 [Page 44]
Internet Draft IPsec Configuration Policy Model July 2000
NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer
VALUE 2 - MD5
3 - SHA-1
4 - DES
7.6. The Class ESPTransform
The class ESPTransform specifies the ESP algorithms to propose
during IPsec security association negotiation. The class definition
for ESPTransform is as follows:
NAME ESPTransform
DESCRIPTION Specifies the ESP algorithms to propose.
ABSTRACT FALSE
PROPERTIES IntegrityTransformId
CipherTransformId
CipherKeyLength
CipherKeyRounds
7.6.1. The Property IntegrityTransformId
The property IntegrityTransformId specifies the transform ID of the
ESP integrity algorithm to propose. The property is defined as
follows:
NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm.
SYNTAX unsigned 16-bit integer
VALUE 0 - None
1 - HMAC-MD5
2 - HMAC-SHA
3 - DES-MAC
4 - KPDK
7.6.2. The Property CipherTransformId
The property CipherTransformId specifies the transform ID of the ESP
encryption algorithm to propose. The property is defined as
follows:
NAME CipherTransformId
DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm.
SYNTAX unsigned 16-bit integer
VALUE 1 - DES IV64
2 - DES
3 - 3DES
4 - RC5
5 - IDEA
Jason Expires January 2001 [Page 45]
Internet Draft IPsec Configuration Policy Model July 2000
6 - CAST
7 - Blowfish
8 - 3IDEA
9 - DES IV32
10 - RC4
11 - NULL
7.6.3. The Property CipherKeyLength
The property CipherKeyLength specifies, in bits, the key length for
the ESP encryption algorithm. For encryption algorithms which use
fixed-length keys, this value is ignored. The property is defined
as follows:
NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer
7.6.4. The Property CipherKeyRounds
The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. The property is defined as follows:
NAME CipherKeyRounds
DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm.
SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP
encryption algorithms.
7.7. The Class IPCOMPTransform
The class IPCOMPTransform specifies the IP compression (IPCOMP)
algorithm to propose during IPsec security association negotiation.
The class definition for IPCOMPTransform is as follows:
NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose.
ABSTRACT FALSE
PROPERTIES Algorithm
DictionarySize
PrivateAlgorithm
7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as
follows:
NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm.
SYNTAX unsigned 16-bit integer
Jason Expires January 2001 [Page 46]
Internet Draft IPsec Configuration Policy Model July 2000
VALUE 1 - OUI (the property PrivateAlgorithm will contain the
vendor-specific algorithm to use)
2 - DEFLATE
3 - LZS
4 - V42BIS (has this number been assigned ???)
7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the
diction for the compression algorithm. For compression algorithms
that have pre-defined dictionary sizes, this value is ignores. The
property is defined as follows:
NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer
7.7.3. The Property PrivateAlgorithm
The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows:
NAME PrivateAlgorithm
DESCRIPTION Specifies a private vendor-specific compression
algorithm.
SYNTAX unsigned 32-bit integer
7.8. The Aggregation Class ContainedTransform
The class ContainedTransform associates an IPsecProposal with the
set of SATransforms that make up the proposal. If multiple
tranforms of the same type are in a proposal, then they are to be
logically ORed and the order of preference is dictated by the
SequenceNumber property. Sets of transforms of different types are
logically ANDed. For example, if the proposal list were
ESP = { (HMAC-MD5, DES), (HMAC-MD5, 3DES) }
AH = { MD5, SHA-1 }
then the one sending the proposal wants the other side to pick one
from the ESP transform list AND one from the AH transform list. The
class definition for ContainedProposal is as follows:
NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of
SATransforms that make up the proposal.
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]]
SequenceNumber
Jason Expires January 2001 [Page 47]
Internet Draft IPsec Configuration Policy Model July 2000
7.8.1. The Reference GroupComponent
The property GroupComponent contains an object reference to an
IPsecProposal that contains one or more SATransforms. The [0..n]
cardinality indicates that there may be zero or more IPsecProposals
that contain any given SATransform.
7.8.2. The Reference PartComponent
The property PartComponent contains an object reference to an
SATransform contained by one or more IPsecProposals. The [1..n]
cardinality indicates that an IPsecPropsal MUST contain at least one
SATransform.
7.8.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for
the SATransforms of the same type. The property is defined as
follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of
the same type.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms
of the same type with higher values. If two transforms
of the same type have the same SequenceNumber value,
then the order of preference is undefined.
8. Security Considerations
This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema.
Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document.
9. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11.
Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat.
Jason Expires January 2001 [Page 48]
Internet Draft IPsec Configuration Policy Model July 2000
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
10. Acknowledgments
The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon for their contributions to this IPsec
policy model.
Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob
Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
Rajan.
11. References
[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.
[COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998.
[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
2402, November 1998.
[PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", draft-ietf-policy-
core-infor-model-06.txt, May 2000. Internet-Draft work in progress.
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998.
[LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress.
[COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000.
Internet-Draft work in progress.
[SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
Internet-Draft work in progress.
Jason Expires January 2001 [Page 49]
Internet Draft IPsec Configuration Policy Model July 2000
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
12. Disclaimer
The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this
specification.
13. Author's Address
Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
Phone: +1-503-264-9531
Fax: +1-503-264-9428
E-Mail: jamie.jason@intel.com
14. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other then
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Jason Expires January 2001 [Page 50]
