Network Working Group J. Jason Request for Comments: 3585 Intel Corporation Category: Standards Track L. Rafalow IBM E. Vyncke Cisco Systems August 2003
Network Working Group J. Jason Request for Comments: 3585 Intel Corporation Category: Standards Track L. Rafalow IBM E. Vyncke Cisco Systems August 2003
IPsec Configuration Policy Information Model
IPsec配置策略信息模型
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
Abstract
摘要
This document presents an object-oriented information model of IP Security (IPsec) policy designed to facilitate agreement about the content and semantics of IPsec policy, and enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec-enabled endpoints. The information model described in this document models the configuration parameters defined by IPSec. The information model also covers the parameters found by the Internet Key Exchange protocol (IKE). Other key exchange protocols could easily be added to the information model by a simple extension. Further extensions can further be added easily due to the object-oriented nature of the model.
本文档介绍了一种面向对象的IP安全(IPsec)策略信息模型,旨在促进IPsec策略的内容和语义的一致性,并支持派生IPsec策略的任务特定表示,如存储模式、分发表示,以及用于配置启用IPsec的端点的策略规范语言。本文档中描述的信息模型对IPSec定义的配置参数进行建模。该信息模型还包括由Internet密钥交换协议(IKE)找到的参数。通过一个简单的扩展,可以很容易地将其他密钥交换协议添加到信息模型中。由于模型的面向对象特性,可以更容易地添加进一步的扩展。
This information model is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) and in the Policy Core Information Model Extensions (PCIMe).
此信息模型基于策略核心信息模型(PCIM)和策略核心信息模型扩展(PCIMe)中定义的核心策略类。
Table of Contents
目录
1. Introduction.................................................. 3 2. UML Conventions............................................... 4 3. IPsec Policy Model Inheritance Hierarchy...................... 6 4. Policy Classes................................................ 11 4.1. The Class SARule........................................ 13 4.2. The Class IKERule....................................... 17 4.3. The Class IPsecRule..................................... 18 4.4. The Association Class IPsecPolicyForEndpoint............ 18 4.5. The Association Class IPsecPolicyForSystem.............. 19 4.6. The Aggregation Class SAConditionInRule................. 19 4.7. The Aggregation Class PolicyActionInSARule.............. 20 5. Condition and Filter Classes.................................. 22 5.1. The Class SACondition................................... 23 5.2. The Class IPHeadersFilter............................... 23 5.3. The Class CredentialFilterEntry......................... 23 5.4. The Class IPSOFilterEntry............................... 25 5.5. The Class PeerIDPayloadFilterEntry...................... 26 5.6. The Association Class FilterOfSACondition............... 28 5.7. The Association Class AcceptCredentialFrom.............. 29 6. Action Classes................................................ 30 6.1. The Class SAAction...................................... 32 6.2. The Class SAStaticAction................................ 33 6.3. The Class IPsecBypassAction............................. 34 6.4. The Class IPsecDiscardAction............................ 34 6.5. The Class IKERejectAction............................... 35 6.6. The Class PreconfiguredSAAction......................... 35 6.7. The Class PreconfiguredTransportAction.................. 36 6.8. The Class PreconfiguredTunnelAction..................... 37 6.9. The Class SANegotiationAction........................... 37 6.10. The Class IKENegotiationAction.......................... 38 6.11. The Class IPsecAction................................... 39 6.12. The Class IPsecTransportAction.......................... 41 6.13. The Class IPsecTunnelAction............................. 42 6.14. The Class IKEAction..................................... 42 6.15. The Class PeerGateway................................... 44 6.16. The Association Class PeerGatewayForTunnel.............. 45 6.17. The Aggregation Class ContainedProposal................. 46 6.18. The Association Class HostedPeerGatewayInformation...... 47 6.19. The Association Class TransformOfPreconfiguredAction.... 48 6.20 The Association Class PeerGatewayForPreconfiguredTunnel. 49 7. Proposal and Transform Classes................................ 50 7.1. The Abstract Class SAProposal........................... 50 7.2. The Class IKEProposal................................... 51 7.3. The Class IPsecProposal................................. 54 7.4. The Abstract Class SATransform.......................... 54 7.5. The Class AHTransform................................... 56
1. Introduction.................................................. 3 2. UML Conventions............................................... 4 3. IPsec Policy Model Inheritance Hierarchy...................... 6 4. Policy Classes................................................ 11 4.1. The Class SARule........................................ 13 4.2. The Class IKERule....................................... 17 4.3. The Class IPsecRule..................................... 18 4.4. The Association Class IPsecPolicyForEndpoint............ 18 4.5. The Association Class IPsecPolicyForSystem.............. 19 4.6. The Aggregation Class SAConditionInRule................. 19 4.7. The Aggregation Class PolicyActionInSARule.............. 20 5. Condition and Filter Classes.................................. 22 5.1. The Class SACondition................................... 23 5.2. The Class IPHeadersFilter............................... 23 5.3. The Class CredentialFilterEntry......................... 23 5.4. The Class IPSOFilterEntry............................... 25 5.5. The Class PeerIDPayloadFilterEntry...................... 26 5.6. The Association Class FilterOfSACondition............... 28 5.7. The Association Class AcceptCredentialFrom.............. 29 6. Action Classes................................................ 30 6.1. The Class SAAction...................................... 32 6.2. The Class SAStaticAction................................ 33 6.3. The Class IPsecBypassAction............................. 34 6.4. The Class IPsecDiscardAction............................ 34 6.5. The Class IKERejectAction............................... 35 6.6. The Class PreconfiguredSAAction......................... 35 6.7. The Class PreconfiguredTransportAction.................. 36 6.8. The Class PreconfiguredTunnelAction..................... 37 6.9. The Class SANegotiationAction........................... 37 6.10. The Class IKENegotiationAction.......................... 38 6.11. The Class IPsecAction................................... 39 6.12. The Class IPsecTransportAction.......................... 41 6.13. The Class IPsecTunnelAction............................. 42 6.14. The Class IKEAction..................................... 42 6.15. The Class PeerGateway................................... 44 6.16. The Association Class PeerGatewayForTunnel.............. 45 6.17. The Aggregation Class ContainedProposal................. 46 6.18. The Association Class HostedPeerGatewayInformation...... 47 6.19. The Association Class TransformOfPreconfiguredAction.... 48 6.20 The Association Class PeerGatewayForPreconfiguredTunnel. 49 7. Proposal and Transform Classes................................ 50 7.1. The Abstract Class SAProposal........................... 50 7.2. The Class IKEProposal................................... 51 7.3. The Class IPsecProposal................................. 54 7.4. The Abstract Class SATransform.......................... 54 7.5. The Class AHTransform................................... 56
7.6. The Class ESPTransform.................................. 57 7.7. The Class IPCOMPTransform............................... 59 7.8. The Association Class SAProposalInSystem................ 60 7.9. The Aggregation Class ContainedTransform................ 60 7.10. The Association Class SATransformInSystem............... 62 8. IKE Service and Identity Classes.............................. 63 8.1. The Class IKEService.................................... 64 8.2. The Class PeerIdentityTable............................. 64 8.3. The Class PeerIdentityEntry............................. 65 8.4. The Class AutostartIKEConfiguration..................... 66 8.5. The Class AutostartIKESetting........................... 67 8.6. The Class IKEIdentity................................... 69 8.7. The Association Class HostedPeerIdentityTable........... 71 8.8. The Aggregation Class PeerIdentityMember................ 71 8.9. The Association Class IKEServicePeerGateway............. 72 8.10. The Association Class IKEServicePeerIdentityTable....... 73 8.11. The Association Class IKEAutostartSetting............... 73 8.12. The Aggregation Class AutostartIKESettingContext........ 74 8.13. The Association Class IKEServiceForEndpoint............. 75 8.14. The Association Class IKEAutostartConfiguration......... 76 8.15. The Association Class IKEUsesCredentialManagementService 77 8.16. The Association Class EndpointHasLocalIKEIdentity....... 77 8.17. The Association Class CollectionHasLocalIKEIdentity..... 78 8.18. The Association Class IKEIdentitysCredential............ 79 9. Implementation Requirements................................... 79 10. Security Considerations....................................... 84 11. Intellectual Property Statement............................... 84 12. References ................................................... 85 12.1. Normative References.................................... 85 12.2. Informative References.................................. 86 13. Disclaimer.................................................... 86 14. Acknowledgments............................................... 86 15. Authors' Addresses............................................ 87 16. Full Copyright Statement...................................... 88
7.6. The Class ESPTransform.................................. 57 7.7. The Class IPCOMPTransform............................... 59 7.8. The Association Class SAProposalInSystem................ 60 7.9. The Aggregation Class ContainedTransform................ 60 7.10. The Association Class SATransformInSystem............... 62 8. IKE Service and Identity Classes.............................. 63 8.1. The Class IKEService.................................... 64 8.2. The Class PeerIdentityTable............................. 64 8.3. The Class PeerIdentityEntry............................. 65 8.4. The Class AutostartIKEConfiguration..................... 66 8.5. The Class AutostartIKESetting........................... 67 8.6. The Class IKEIdentity................................... 69 8.7. The Association Class HostedPeerIdentityTable........... 71 8.8. The Aggregation Class PeerIdentityMember................ 71 8.9. The Association Class IKEServicePeerGateway............. 72 8.10. The Association Class IKEServicePeerIdentityTable....... 73 8.11. The Association Class IKEAutostartSetting............... 73 8.12. The Aggregation Class AutostartIKESettingContext........ 74 8.13. The Association Class IKEServiceForEndpoint............. 75 8.14. The Association Class IKEAutostartConfiguration......... 76 8.15. The Association Class IKEUsesCredentialManagementService 77 8.16. The Association Class EndpointHasLocalIKEIdentity....... 77 8.17. The Association Class CollectionHasLocalIKEIdentity..... 78 8.18. The Association Class IKEIdentitysCredential............ 79 9. Implementation Requirements................................... 79 10. Security Considerations....................................... 84 11. Intellectual Property Statement............................... 84 12. References ................................................... 85 12.1. Normative References.................................... 85 12.2. Informative References.................................. 86 13. Disclaimer.................................................... 86 14. Acknowledgments............................................... 86 15. Authors' Addresses............................................ 87 16. Full Copyright Statement...................................... 88
IP security (IPsec) policy may assume a variety of forms as it travels from storage, to distribution, to decision points. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to:
IP安全(IPsec)策略在从存储、分发到决策点的过程中可能采用多种形式。在每个步骤中,都需要以一种便于当前任务的方式来表示它。例如,该政策可以存在,但不限于:
o A Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a directory.
o 目录中的轻型目录访问协议(LDAP)[LDAP]模式。
o An on-the-wire representation over a transport protocol like the Common Object Policy Service (COPS) [COPS, COPSPR].
o 传输协议上的在线表示,如公共对象策略服务(COPS)[COPS,COPSPR]。
o A text-based policy specification language suitable for editing by an administrator.
o 一种适合管理员编辑的基于文本的策略规范语言。
o An Extensible Markup Language (XML) document.
o 可扩展标记语言(XML)文档。
Each of these task-specific representations should be derived from a canonical representation that precisely specifies the content and semantics of the IPsec policy. This document captures this concept and introduces a task-independent canonical representation for IPsec policies.
每个特定于任务的表示都应该派生自一个规范表示,该规范表示精确地指定了IPsec策略的内容和语义。本文档抓住了这一概念,并介绍了IPsec策略的独立于任务的规范表示。
This document focuses mainly on the existing protocols [COMP, ESP, AH, DOI, IKE]. The model can easily be extended if needed due to its object-oriented nature.
本文档主要关注现有协议[COMP、ESP、AH、DOI、IKE]。由于其面向对象的特性,如果需要,该模型可以很容易地进行扩展。
This document is organized as follows:
本文件的组织结构如下:
o Section 2 provides a quick introduction to the Unified Modeling Language (UML) graphical notation conventions used in this document.
o 第2节简要介绍了本文档中使用的统一建模语言(UML)图形符号约定。
o Section 3 provides the inheritance hierarchy that describes where the IPsec policy classes fit into the policy class hierarchy already defined by the Policy Core Information Model (PCIM) and Policy Core Information Model Extensions (PCIMe).
o 第3节提供了继承层次结构,描述了IPsec策略类在策略核心信息模型(PCIM)和策略核心信息模型扩展(PCIMe)已定义的策略类层次结构中的位置。
o Sections 4 through 8 describe the classes that make up the IPsec policy model.
o 第4节到第8节描述了组成IPsec策略模型的类。
o Section 9 presents the implementation requirements for the classes in the model (i.e., the MUST/MAY/SHOULD status).
o 第9节介绍了模型中类的实现要求(即必须/可能/应该状态)。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[关键词]中所述进行解释。
For this document, a UML static class diagram was chosen as the canonical representation for the IPsec policy model, because UML provides a graphical, task-independent way to model systems. A treatise on the graphical notation used in UML is beyond the scope of this paper. However, given the use of ASCII drawing for UML static class diagrams, a description of the notational conventions used in this document is in order:
对于本文档,选择UML静态类图作为IPsec策略模型的规范表示,因为UML提供了一种图形化的、独立于任务的系统建模方法。关于UML中使用的图形符号的论述超出了本文的范围。然而,鉴于UML静态类图使用ASCII绘图,本文档中使用的符号约定的描述如下:
o Boxes represent classes, with class names in brackets ([]) representing an abstract class.
o 框表示类,括号([])中的类名表示抽象类。
o A line that terminates with an arrow (<, >, ^, v) denotes inheritance. The arrow always points to the parent class. Inheritance can also be called generalization or specialization (depending upon the reference point). A base class is a generalization of a derived class, and a derived class is a specialization of a base class.
o 以箭头(<,>,^,v)结尾的行表示继承。箭头始终指向父类。继承也可以称为泛化或专门化(取决于引用点)。基类是派生类的泛化,派生类是基类的特化。
o Associations are used to model a relationship between two classes. Classes that share an association are connected using a line. A special kind of association is also used: an aggregation. An aggregation models a whole-part relationship between two classes. Associations, and therefore aggregations, are also modeled as classes.
o 关联用于为两个类之间的关系建模。共享关联的类使用线连接。还使用了一种特殊的关联:聚合。聚合为两个类之间的整体-部分关系建模。关联和聚合也被建模为类。
o A line that begins with an "o" denotes aggregation. Aggregation denotes containment in which the contained class and the containing class have independent lifetimes.
o 以“o”开头的行表示聚合。聚合表示包含类和包含类具有独立生存期的包含。
o At each end of a line representing an association appears a cardinality (i.e., each association has 2 cardinalities). Cardinalities indicate the constraints on the number of object instances in a set of relationships. The cardinality on a given end of an association indicates the number of different object instances of that class that may be associated with a single object instance of the class on the other end of the association. The cardinality may be:
o 在表示关联的行的每一端都显示一个基数(即,每个关联有2个基数)。基数表示一组关系中对象实例数量的约束。关联给定端的基数表示该类的不同对象实例的数量,这些实例可能与关联另一端的类的单个对象实例相关联。基数可以是:
- a range in the form "lower bound..upper bound" indicating the minimum and maximum number of objects.
- “下限..上限”形式的范围,表示对象的最小和最大数量。
- a number that indicates the exact number of objects.
- 指示对象确切数量的数字。
- an asterisk indicating any number of objects, including zero. An asterisk is shorthand for 0..n.
- 星号表示任意数量的对象,包括零。星号是0..n的简写。
- the letter n indicating from 1 to many. The letter n is shorthand for 1..n.
- 表示从1到多的字母n。字母n是1..n的简写。
o A class that has an association may have a "w" next to the line representing the association. This is called a weak association and is discussed in [PCIM].
o 具有关联的类在表示关联的行旁边可能有一个“w”。这称为弱关联,在[PCIM]中讨论。
It should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into another
It should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into anothertranslate error, please retry
representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references).
representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references).translate error, please retry
Like PCIM and PCIMe, the IPsec Configuration Policy Model derives from and uses classes defined in the DMTF [DMTF] Common Information Model (CIM). The following tree represents the inheritance hierarchy for the IPsec Policy Model classes and how they fit into PCIM, PCIMe and the other DMTF models (see Appendices for descriptions of classes that are not being introduced as part of IPsec model). CIM classes that are not used as a superclass to derive new classes, but are used only as references, are not included in this inheritance hierarchy, but can be found in the appropriate DMTF document: Core Model [CIMCORE], User Model [CIMUSER] or, Network Model [CIMNETWORK].
Like PCIM and PCIMe, the IPsec Configuration Policy Model derives from and uses classes defined in the DMTF [DMTF] Common Information Model (CIM). The following tree represents the inheritance hierarchy for the IPsec Policy Model classes and how they fit into PCIM, PCIMe and the other DMTF models (see Appendices for descriptions of classes that are not being introduced as part of IPsec model). CIM classes that are not used as a superclass to derive new classes, but are used only as references, are not included in this inheritance hierarchy, but can be found in the appropriate DMTF document: Core Model [CIMCORE], User Model [CIMUSER] or, Network Model [CIMNETWORK].translate error, please retry
ManagedElement (DMTF Core Model) | +--Collection (DMTF Core Model) | | | +--PeerIdentityTable | +--ManagedSystemElement (DMTF Core Model) | | | +--LogicalElement (DMTF Core Model) | | | +--FilterEntryBase (DMTF Network Model) | | | | | +--CredentialFilterEntry | | | | | +--IPHeadersFilter (PCIMe) | | | | | +--IPSOFilterEntry | | | | | +--PeerIDPayloadFilterEntry | | | +--PeerGateway | | | +--PeerIdentityEntry | | | +--Service (DMTF Core Model) | | | +--IKEService |
ManagedElement (DMTF Core Model) | +--Collection (DMTF Core Model) | | | +--PeerIdentityTable | +--ManagedSystemElement (DMTF Core Model) | | | +--LogicalElement (DMTF Core Model) | | | +--FilterEntryBase (DMTF Network Model) | | | | | +--CredentialFilterEntry | | | | | +--IPHeadersFilter (PCIMe) | | | | | +--IPSOFilterEntry | | | | | +--PeerIDPayloadFilterEntry | | | +--PeerGateway | | | +--PeerIdentityEntry | | | +--Service (DMTF Core Model) | | | +--IKEService |
+--OrganizationalEntity (DMTF User Model) | | | +--UserEntity (DMTF User Model) | | | +--UsersAccess (DMTF User Model) | | | +--IKEIdentity | +--Policy (PCIM) | | | +--PolicyAction (PCIM) | | | | | +--CompoundPolicyAction (PCIMe) | | | | | +--SAAction | | | | | +--SANegotiationAction | | | | | | | +--IKENegotiationAction | | | | | | | +--IKEAction | | | | | | | +--IPsecAction | | | | | | | +--IPsecTransportAction | | | | | | | +--IPsecTunnelAction | | | | | +--SAStaticAction | | | | | +--IKERejectAction | | | | | +--IPsecBypassAction | | | | | +--IPsecDiscardAction | | | | | +--PreconfiguredSAAction | | | | | +--PreconfiguredTransportAction | | | | | +--PreconfiguredTunnelAction | | | +--PolicyCondition (PCIM) | | | | | +--SACondition | | | +--PolicySet (PCIMe) | | |
+--OrganizationalEntity (DMTF User Model) | | | +--UserEntity (DMTF User Model) | | | +--UsersAccess (DMTF User Model) | | | +--IKEIdentity | +--Policy (PCIM) | | | +--PolicyAction (PCIM) | | | | | +--CompoundPolicyAction (PCIMe) | | | | | +--SAAction | | | | | +--SANegotiationAction | | | | | | | +--IKENegotiationAction | | | | | | | +--IKEAction | | | | | | | +--IPsecAction | | | | | | | +--IPsecTransportAction | | | | | | | +--IPsecTunnelAction | | | | | +--SAStaticAction | | | | | +--IKERejectAction | | | | | +--IPsecBypassAction | | | | | +--IPsecDiscardAction | | | | | +--PreconfiguredSAAction | | | | | +--PreconfiguredTransportAction | | | | | +--PreconfiguredTunnelAction | | | +--PolicyCondition (PCIM) | | | | | +--SACondition | | | +--PolicySet (PCIMe) | | |
| | +--PolicyGroup (PCIM & PCIMe) | | | | | +--PolicyRule (PCIM & PCIMe) | | | | | +--SARule | | | | | +--IKERule | | | | | +--IPsecRule | | | +--SAProposal | | | | | +--IKEProposal | | | | | +--IPsecProposal | | | +--SATransform | | | +--AHTransform | | | +--ESPTransform | | | +--IPCOMPTransform | +--Setting (DMTF Core Model) | | | +--SystemSetting (DMTF Core Model) | | | +--AutostartIKESetting | +--SystemConfiguration (DMTF Core Model) | +--AutostartIKEConfiguration
| | +--PolicyGroup (PCIM & PCIMe) | | | | | +--PolicyRule (PCIM & PCIMe) | | | | | +--SARule | | | | | +--IKERule | | | | | +--IPsecRule | | | +--SAProposal | | | | | +--IKEProposal | | | | | +--IPsecProposal | | | +--SATransform | | | +--AHTransform | | | +--ESPTransform | | | +--IPCOMPTransform | +--Setting (DMTF Core Model) | | | +--SystemSetting (DMTF Core Model) | | | +--AutostartIKESetting | +--SystemConfiguration (DMTF Core Model) | +--AutostartIKEConfiguration
The following tree represents the inheritance hierarchy of the IPsec policy model association classes and how they fit into PCIM and the other DMTF models (see Appendices for description of association classes that are not being introduced as part of IPsec model).
The following tree represents the inheritance hierarchy of the IPsec policy model association classes and how they fit into PCIM and the other DMTF models (see Appendices for description of association classes that are not being introduced as part of IPsec model).translate error, please retry
Dependency (DMTF Core Model) | +--AcceptCredentialsFrom | +--ElementAsUser (DMTF User Model) | | | +--EndpointHasLocalIKEIdentity | | | +--CollectionHasLocalIKEIdentity
Dependency (DMTF Core Model) | +--AcceptCredentialsFrom | +--ElementAsUser (DMTF User Model) | | | +--EndpointHasLocalIKEIdentity | | | +--CollectionHasLocalIKEIdentity
| +--FilterOfSACondition | +--HostedPeerGatewayInformation | +--HostedPeerIdentityTable | +--IKEAutostartConfiguration | +--IKEServiceForEndpoint | +--IKEServicePeerGateway | +--IKEServicePeerIdentityTable | +--IKEUsesCredentialManagementService | +--IPsecPolicyForEndpoint | +--IPsecPolicyForSystem | +--PeerGatewayForPreconfiguredTunnel | +--PeerGatewayForTunnel | +--PolicyInSystem (PCIM) | | | +--SAProposalInSystem | | | +--SATransformInSystem | +--TransformOfPreconfiguredAction | +--UsersCredential (DMTF User Model) | +--IKEIdentitysCredential
| +--FilterOfSACondition | +--HostedPeerGatewayInformation | +--HostedPeerIdentityTable | +--IKEAutostartConfiguration | +--IKEServiceForEndpoint | +--IKEServicePeerGateway | +--IKEServicePeerIdentityTable | +--IKEUsesCredentialManagementService | +--IPsecPolicyForEndpoint | +--IPsecPolicyForSystem | +--PeerGatewayForPreconfiguredTunnel | +--PeerGatewayForTunnel | +--PolicyInSystem (PCIM) | | | +--SAProposalInSystem | | | +--SATransformInSystem | +--TransformOfPreconfiguredAction | +--UsersCredential (DMTF User Model) | +--IKEIdentitysCredential
ElementSetting (DMTF Core Model) | +--IKEAutostartSetting
ElementSetting (DMTF Core Model) | +--IKEAutostartSetting
MemberOfCollection (DMTF Core Model) | +--PeerIdentityMember
MemberOfCollection (DMTF Core Model) | +--PeerIdentityMember
PolicyComponent (PCIM) |
PolicyComponent (PCIM) |translate error, please retry
+--ContainedProposal | +--ContainedTransform | +--PolicyActionStructure (PCIMe) | | | +--PolicyActionInPolicyRule (PCIM & PCIMe) | | | +--PolicyActionInSARule | +--PolicyConditionStructure (PCIMe) | | | +--PolicyConditionInPolicyRule (PCIM & PCIMe) | | | +--SAConditionInRule | +--PolicySetComponent (PCIMe)
+--ContainedProposal | +--ContainedTransform | +--PolicyActionStructure (PCIMe) | | | +--PolicyActionInPolicyRule (PCIM & PCIMe) | | | +--PolicyActionInSARule | +--PolicyConditionStructure (PCIMe) | | | +--PolicyConditionInPolicyRule (PCIM & PCIMe) | | | +--SAConditionInRule | +--PolicySetComponent (PCIMe)
SystemSettingContext (DMTF Core Model) | +--AutostartIKESettingContext
SystemSettingContext (DMTF Core Model) | +--AutostartIKESettingContext
The IPsec policy classes represent the set of policies that are contained on a system.
The IPsec policy classes represent the set of policies that are contained on a system.translate error, please retry
+--------------+ | [PolicySet] |* | ([PCIME]) |o--+ +--------------+ | ^ *| |(a) | +------+ +--------------------------+ | | +-------------+ +--------------+ | PolicyGroup |0..1 | PolicyRule |* | ([PCIM]) |-----+ | ([PCIM]) |o--+ +-------------+ | +--------------+ |(d) 0..1| | ^ | |(b) | | |* *| | | +---------------------------+ +--------------------+ |(c) | | PolicyTimePeriodCondition | | IPProtocolEndpoint | | | | ([PCIM]) | | ([CIMNETWORK]) | | | +---------------------------+ +--------------------+ | | +------------+ | *+----------+* | System |----+ +-o| SARule |o-------+ | ([CIMCORE])|* | +----------+ |(f) +------------+ | ^ | (e)| | |n +-------------+n | | +--------------+ | SACondition |--------+ | |[PolicyAction]| +-------------+ | | ([PCIM]) | | +--------------+ | *| ^ | |(g) | | | +-------+ | *o | | | +----------------------+ | | | CompoundPolicyAction | | | | ([PCIME]) | | | +----------------------+ | | | +---------+----+ +---------+ | | | +---------+ +-----------+ +----------+ | IKERule | | IPsecRule | | SAAction | +---------+ +-----------+ +----------+
+--------------+ | [PolicySet] |* | ([PCIME]) |o--+ +--------------+ | ^ *| |(a) | +------+ +--------------------------+ | | +-------------+ +--------------+ | PolicyGroup |0..1 | PolicyRule |* | ([PCIM]) |-----+ | ([PCIM]) |o--+ +-------------+ | +--------------+ |(d) 0..1| | ^ | |(b) | | |* *| | | +---------------------------+ +--------------------+ |(c) | | PolicyTimePeriodCondition | | IPProtocolEndpoint | | | | ([PCIM]) | | ([CIMNETWORK]) | | | +---------------------------+ +--------------------+ | | +------------+ | *+----------+* | System |----+ +-o| SARule |o-------+ | ([CIMCORE])|* | +----------+ |(f) +------------+ | ^ | (e)| | |n +-------------+n | | +--------------+ | SACondition |--------+ | |[PolicyAction]| +-------------+ | | ([PCIM]) | | +--------------+ | *| ^ | |(g) | | | +-------+ | *o | | | +----------------------+ | | | CompoundPolicyAction | | | | ([PCIME]) | | | +----------------------+ | | | +---------+----+ +---------+ | | | +---------+ +-----------+ +----------+ | IKERule | | IPsecRule | | SAAction | +---------+ +-----------+ +----------+
(a) PolicySetComponent ([PCIME]) (b) IPsecPolicyForEndpoint (c) IPsecPolicyForSystem (d) PolicyRuleValidityPeriod ([PCIM]) (e) SAConditionInRule (f) PolicyActionInSARule (g) PolicyActionInPolicyAction ([PCIME])
(a) PolicySetComponent([PCIME])(b)IPsecPolicyForEndpoint(c)IPsecPolicyForSystem(d)PolicyRuleValidityPeriod([PCIM])(e)规则中的条件(f)PolicyActionInSARule(g)PolicyActionInPolicyAction([PCIME])
A PolicyGroup represents the set of policies that are used on an interface. This PolicyGroup SHOULD be associated either directly with the IPProtocolEndpoint class instance that represents the interface (via the IPsecPolicyForEndpoint association) or indirectly (via the IPsecPolicyForSystem association) associated with the System that hosts the interface.
PolicyGroup表示在接口上使用的策略集。此策略组应直接与表示接口的IPProtoClondPoint类实例关联(通过IPsecPolicyForEndpoint关联),或间接与承载接口的系统关联(通过IPsecPolicyForSystem关联)。
The IKE and IPsec rules are used to build or to negotiate the IPsec Security Association Database (SADB). The IPsec rules represent the Security Policy Database. The SADB itself is not modeled by this document.
IKE和IPsec规则用于构建或协商IPsec安全关联数据库(SADB)。IPsec规则表示安全策略数据库。本文件并未对SADB本身进行建模。
The IKE and IPsec rules can be described as (also see section 6 about actions):
IKE和IPsec规则可以描述为(另请参见第6节关于操作):
o An egress unprotected packet will first be checked against the IPsec rules. If a match is found, the SADB will be checked. If there is no corresponding IPsec SA in the SADB, and if IKE negotiation is required by the IPsec rule, the corresponding IKE rules will be used. The negotiated or preconfigured SA will then be installed in the SADB.
o 将首先根据IPsec规则检查出口未受保护的数据包。如果找到匹配项,将检查SADB。如果SADB中没有相应的IPsec SA,并且IPsec规则要求IKE协商,则将使用相应的IKE规则。然后,协商或预配置的SA将安装在SADB中。
o An ingress unprotected packet will first be checked against the IPsec rules. If a match is found, the SADB will be checked for a corresponding IPsec SA. If there is no corresponding IPsec SA and a preconfigured SA exists, this preconfigured SA will be installed in the IPsec SADB. This behavior should only apply to bypass and discard actions.
o 将首先根据IPsec规则检查未受保护的进入数据包。如果找到匹配项,将检查SADB是否有相应的IPsec SA。如果没有相应的IPsec SA且存在预配置的SA,则此预配置的SA将安装在IPsec SADB中。此行为应仅适用于绕过和放弃操作。
o An ingress protected packet will first be checked against the IPsec rules. If a match is found, the SADB will be checked for a corresponding IPsec SA. If there is no corresponding IPsec SA and a preconfigured SA exists, this preconfigured SA will be installed in the IPsec SADB.
o 将首先根据IPsec规则检查受入口保护的数据包。如果找到匹配项,将检查SADB是否有相应的IPsec SA。如果没有相应的IPsec SA且存在预配置的SA,则此预配置的SA将安装在IPsec SADB中。
o An ingress IKE negotiation packet, which is not part of an existing IKE SA, will be checked against the IKE rules. The SACondition for the IKERule will usually be composed of a PeerIDPayloadFilterEntry (typically for an aggressive mode IKE
o 将根据IKE规则检查不属于现有IKE SA的入口IKE协商数据包。IKERule的SACondition通常由PeerIDPayloadFilterEntry(通常用于攻击模式IKE)组成
negotiation) or an IPHeadersFilter. The negotiated SA will then be installed in the SADB.
协商)或iPhoneAddressFilter。协商后的SA将安装在SADB中。
It is expected that when an IKE negotiation is required to be initiated by an IPsec rule, the set of IKE rules will be checked. The IKE rules check will be based on the outgoing IKE packet using IPHeadersFilter entries (typically using the HdrDstAddress property).
预计当IPsec规则要求启动IKE协商时,将检查IKE规则集。IKE规则检查将基于使用IPHeadersFilter条目的传出IKE数据包(通常使用HdrDstAddress属性)。
The class SARule serves as a base class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association.
SARule类用作IKERule和IPsecRule的基类。即使类是具体的,也不能实例化它。它为两种类型的规则的条件和操作的关联定义了一个公共连接点。通过从PolicyRule派生,SARule(因此IKERule和IPsecRule)也具有PolicyRuleValidityPeroid关联。
Each SARule in a valid PolicyGroup MUST have a unique associated priority number in the PolicySetComponent.Priority. The class definition for SARule is as follows:
有效策略组中的每个规则必须在PolicySetComponent.priority中具有唯一的关联优先级编号。SARule的类定义如下:
NAME SARule DESCRIPTION A base class for IKERule and IPsecRule. DERIVED FROM PolicyRule (see [PCIM] & [PCIME]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) RuleUsage (from PolicyRule) Mandatory (from PolicyRule) SequencedActions (from PolicyRule) ExecutionStrategy (from PolicyRule) PolicyRoles (from PolicySet) PolicyDecisionStrategy (from PolicySet) LimitNegotiation
NAME SARule DESCRIPTION是IKERule和IPsecRule的基类。派生自PolicyRule(请参见[PCIM]和[PCIME])抽象错误属性PolicyRuleName(来自PolicyRule)Enabled(来自PolicyRule)ConditionListType(来自PolicyRule)RuleUsage(来自PolicyRule)Mandatory(来自PolicyRule)SequencedActions(来自PolicyRule)ExecutionStrategy(来自PolicyRule)PolicyRoles(来自PolicySet)PolicyDecisionStrategy(来自政策集)有限谈判
4.1.1. The Properties PolicyRuleName, Enabled, ConditionListType, RuleUsage, Mandatory, SequencedActions, PolicyRoles, and PolicyDecisionStrategy
4.1.1. 属性PolicyRuleName、Enabled、ConditionListType、RuleUsage、Mandatory、SequencedActions、PolicyRoles和PolicyDecisionStrategy
For a description of these properties, see [PCIM] and [PCIME].
有关这些属性的说明,请参见[PCIM]和[PCIME]。
In SARule subclass instances:
在SARule子类实例中:
- if the property Mandatory exists, it MUST be set to "true".
- 如果强制属性存在,则必须将其设置为“true”。
- if the property SequencedActions exists, it MUST be set to "mandatory".
- 如果属性SequencedActions存在,则必须将其设置为“强制”。
- the property PolicyRoles is not used in the device-level model.
- 设备级模型中未使用属性PolicyRoles。
- if the property PolicyDecisionStrategy exists, it must be set to "FirstMatching".
- 如果属性PolicyDecisionStrategy存在,则必须将其设置为“FirstMatching”。
The ExecutionStrategy properties in the PolicyRule subclasses (and in the CompoundPolicyAction class) determine the behavior of the contained actions. It defines the strategy to be used in executing the sequenced actions aggregated by a rule or a compound action. In the case of actions within a rule, the PolicyActionInSARule aggregation is used to collect the actions into an ordered set; in the case of a compound action, the PolicyActionInPolicyAction aggregation is used to collect the actions into an ordered subset.
PolicyRule子类(以及CompoundPolicyAction类)中的ExecutionStrategy属性确定所包含操作的行为。它定义了用于执行由规则或复合操作聚合的顺序操作的策略。对于规则内的操作,PolicyActionInSARule聚合用于将操作收集到有序集中;对于复合操作,PolicyActionInPolicyAction聚合用于将操作收集到有序子集中。
There are three execution strategies: do until success, do all, and do until failure.
有三种执行策略:坚持到成功、全力以赴和坚持到失败。
"Do Until Success" causes the execution of actions according to the ActionOrder property in the aggregation instances until a successful execution of a single action. These actions may be evaluated to determine if they are appropriate to execute rather than blindly trying each of the actions until one succeeds. For an initiator, they are tried in the ActionOrder until the list is exhausted or one completes successfully. For example, an IKE initiator may have several IKEActions for the same SACondition. The initiator will try all IKEActions in the order defined by ActionOrder. I.e., it will possibly try several phase 1 negotiations with different modes (main mode then aggressive mode) and/or with multiple IKE peers. For a responder, when there is more than one action in the rule with "do until success" condition clause, this provides alternative actions depending on the received proposals. For example, the same IKERule may be used to handle aggressive mode and main mode negotiations with different actions. The responder uses the first appropriate action in the list of actions.
“直到成功”导致根据聚合实例中的ActionOrder属性执行操作,直到成功执行单个操作。可以对这些操作进行评估,以确定它们是否适合执行,而不是盲目地尝试每一个操作,直到一个操作成功为止。对于启动器,将在ActionOrder中尝试它们,直到列表用尽或其中一个成功完成。例如,一个IKE发起者对于同一个条件可能有多个IKEAction。发起者将按照ActionOrder定义的顺序尝试所有iAction。即,它可能会尝试使用不同的模式(主模式,然后是攻击模式)和/或多个IKE对等点进行多个阶段1协商。对于响应者,当规则中包含“直到成功”条件子句的操作不止一个时,这将根据收到的建议提供替代操作。例如,同一IKERule可用于处理具有不同动作的攻击模式和主模式协商。响应者使用操作列表中的第一个适当操作。
"Do All" causes the execution of all the actions in the aggregated set according to their defined order. The execution continues regardless of failures.
“全部执行”导致按照其定义的顺序执行聚合集中的所有操作。无论失败与否,执行都将继续。
"Do Until Failure" causes the execution of all actions according to a predefined order until the first failure in execution of an action instance. Please note that if all actions are successful, then the aggregated result is a failure. This execution strategy is inherited from [PCIME] and is not expected to be of any use for IPsec configuration.
“直到失败为止”导致按照预定义的顺序执行所有操作,直到操作实例的第一次执行失败。请注意,如果所有操作都成功,则聚合结果为失败。此执行策略从[PCIME]继承而来,预计对IPsec配置没有任何用处。
For example, in a nested SAs case, the actions of an initiator's rule might be structured as:
例如,在嵌套的SAs情况下,启动器规则的操作可能被构造为:
IPsecRule.ExecutionStrategy='Do All' | +---1--- IPsecTunnelAction // set up SA from host to gateway | +---2--- IPsecTransportAction // set up SA from host through // tunnel to remote host
IPsecRule.ExecutionStrategy='Do All' | +---1--- IPsecTunnelAction // set up SA from host to gateway | +---2--- IPsecTransportAction // set up SA from host through // tunnel to remote host
Another example, showing a rule with fallback actions might be structured as:
另一个示例显示具有回退操作的规则的结构可能为:
IPsecRule.ExecutionStrategy='Do Until Success' | +---6--- IPsecTransportAction // negotiate SA with peer | +---9--- IPsecBypassAction // but if you must, allow in the clear
IPsecRule.ExecutionStrategy='Do Until Success' | +---6--- IPsecTransportAction // negotiate SA with peer | +---9--- IPsecBypassAction // but if you must, allow in the clear
The CompoundPolicyAction class (See [PCIME]) may be used in constructing the actions of IKE and IPsec rules when those rules specify both multiple actions and fallback actions. The ExecutionStrategy property in CompoundPolicyAction is used in conjunction with that in the PolicyRule.
当IKE和IPsec规则同时指定多个操作和回退操作时,可以使用CompoundPolicyAction类(请参见[PCIME])来构造这些规则的操作。CompoundPolicyAction中的ExecutionStrategy属性与PolicyRule中的属性一起使用。
For example, in nesting SAs with a fallback security gateway, the actions of a rule might be structured as:
例如,在将SAs与回退安全网关嵌套时,规则的操作可能被构造为:
IPsecRule.ExecutionStrategy='Do All' | +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' | | | +---1--- IPsecTunnelAction // set up SA from host to | | // gateway1 | | | +---2--- IPsecTunnelAction // or set up SA to gateway2 | +---2--- IPsecTransportAction // then set up SA from host // through tunnel to remote // host
IPsecRule.ExecutionStrategy='Do All' | +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' | | | +---1--- IPsecTunnelAction // set up SA from host to | | // gateway1 | | | +---2--- IPsecTunnelAction // or set up SA to gateway2 | +---2--- IPsecTransportAction // then set up SA from host // through tunnel to remote // host
In the case of "Do All", a couple of actions can be executed successfully before a subsequent action fails. In this case, some IKE or IPsec actions may have resulted in SAs creation. Even if the net effect of the aggregated actions is failure, those created SAs MAY be kept or MAY be deleted.
在“全部完成”的情况下,可以在后续操作失败之前成功执行两个操作。在这种情况下,某些IKE或IPsec操作可能导致SAs创建。即使聚合操作的净效果是失败,也可以保留或删除创建的SA。
In the case of "Do All", the IPsec selectors to be used during IPsec SA negotiation are:
在“全部完成”的情况下,IPsec SA协商期间使用的IPsec选择器为:
- for the last IPsecAction of the aggregation (i.e., usually the innermost IPsec SA): this is the combination of the IPHeadersFilter class and of the Granularity property of the IPsecAction.
- 对于聚合的最后一个IPsecAction(即,通常是最内部的IPsec SA):这是IPHeadersFilter类和IPsecAction的粒度属性的组合。
- for all other IPsecActions of the aggregation: the selector is the source IP address which is the local IP address, and the destination IP address is the PeerGateway IP address of the following IPsecAction of the "Do All" aggregation. NB: the granularity is IP address to IP address.
- 对于聚合的所有其他IPSection:选择器是作为本地IP地址的源IP地址,目标IP地址是“全部执行”聚合的以下IPSection的PeerGateway IP地址。注意:粒度是IP地址到IP地址。
If the above behavior is not desirable, the alternative is to define several SARules, one for each IPsec SA to be built. This will allow the definition of specific IPsec selectors for all IPsecActions.
如果上述行为不可取,则另一种方法是定义几个sarule,每个要构建的IPsec SA对应一个sarule。这将允许为所有IPSecAction定义特定的IPsec选择器。
The property LimitNegotiation is used as part of processing either an IKE or an IPsec rule.
属性协商用作处理IKE或IPsec规则的一部分。
Before proceeding with a phase 1 negotiation, this property is checked to determine whether the negotiation role of the rule matches that defined for the negotiation being undertaken (e.g., Initiator, Responder, or Both). If this check fails (e.g., the current role is IKE responder, while the rule specifies IKE initiator), then the IKE negotiation is stopped. Note that this only applies to new IKE phase 1 negotiations and has no effect on either renegotiation or refresh operations with peers for which an established SA already exists.
在继续进行阶段1协商之前,将检查此属性以确定规则的协商角色是否与为正在进行的协商定义的角色匹配(例如,发起方、响应方或两者)。如果此检查失败(例如,当前角色是IKE响应者,而规则指定IKE启动器),则IKE协商将停止。请注意,这仅适用于新的IKE阶段1协商,对与已建立SA的对等方重新协商或刷新操作没有影响。
Before proceeding with a phase 2 negotiation, the LimitNegotiation property of the IPsecRule is first checked to determine if the negotiation role indicated for the rule matches that of the current negotiation (Initiator, Responder, or Either). Note that this limit applies only to new phase 2 negotiations. It is ignored when an attempt is made to refresh an expiring SA (either side can initiate a refresh operation). The IKE system can determine that the negotiation is a refresh operation by checking to see if the selector information matches that of an existing SA. If LimitNegotiation does not match and the selector corresponds to a new SA, the negotiation is stopped.
在继续进行第2阶段协商之前,首先检查IPsecRule的LimitNegotiation属性,以确定为规则指定的协商角色是否与当前协商的角色(发起人、响应者或两者之一)匹配。请注意,此限制仅适用于新的第2阶段谈判。当尝试刷新过期SA时,将忽略此选项(任何一方都可以启动刷新操作)。IKE系统可以通过检查选择器信息是否与现有SA的信息匹配来确定协商是刷新操作。如果LimitNegotiation不匹配且选择器对应于新SA,则停止协商。
The property is defined as follows:
该属性的定义如下:
NAME LimitNegotiation DESCRIPTION Limits the role to be undertaken during negotiation. SYNTAX unsigned 16-bit integer VALUE 1 - initiator-only 2 - responder-only 3 - both
名称限制谈判描述限制谈判期间要承担的角色。语法无符号16位整数值1-仅限启动器2-仅限响应程序3-两者
The class IKERule associates Conditions and Actions for IKE phase 1 negotiations. The class definition for IKERule is as follows:
IKERule类将IKE第1阶段谈判的条件和行动关联起来。IKERule的类定义如下:
NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 1 negotiations. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same as SARule, plus IdentityContexts
名称IKERule描述关联IKE阶段1谈判的条件和行动。源自与SARule相同的SARule抽象假属性,加上IdentityContext
The IKE service of a security endpoint may have multiple identities for use in different situations. The combination of the interface (represented by the IPProtocolEndpoint or by a collection of IPProtocolEndpoints), the identity type (as specified in the IKEAction), and the IdentityContexts specifies a unique identity.
安全端点的IKE服务可能具有多个标识,以在不同情况下使用。接口(由IPProtocolEndpoint或IPProtocolEndpoint集合表示)、标识类型(如IKEAction中所指定)和IdentityContext的组合指定了唯一标识。
The IdentityContexts property specifies the context to select the relevant IKE identity to be used during the further IKEAction. A context may be a VPN name or other identifier for selecting the appropriate identity for use on the protected IPProtocolEndpoint (or collection of IPProtocolEndpoints).
IdentityContext属性指定上下文,以选择在进一步IKEAction期间使用的相关IKE标识。上下文可以是VPN名称或其他标识符,用于选择在受保护的IPProtocolEndpoint(或IPProtocolEndpoint集合)上使用的适当标识。
IdentityContexts is an array of strings. The multiple values in the array are logically ORed together in evaluating the IdentityContexts. Each value in the array may be the composition of multiple context names. So, a single value may be a single context name (e.g., "CompanyXVPN"), or it may be combination of contexts. When an array value is a composition, the individual values are logically ANDed together for evaluation purposes and the syntax is:
IdentityContext是字符串数组。在计算identityContext时,数组中的多个值在逻辑上被OR在一起。数组中的每个值都可以是多个上下文名称的组合。因此,单个值可以是单个上下文名称(例如,“CompanyXVPN”),也可以是上下文的组合。当数组值是组合值时,出于求值目的,各个值在逻辑上与一起,语法为:
<ContextName>[&&<ContextName>]*
<ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). So, for example,
其中各个上下文名称按字母顺序显示(根据UCS-2的排序顺序)。那么比如说,,
the values "CompanyXVPN", "CompanyYVPN&&TopSecret", "CompanyZVPN&&Confidential" means that, for the appropriate IPProtocolEndpoint and IdentityType, the contexts are matched if the identity specifies "CompanyXVPN", "CompanyYVPN&&TopSecret", or "CompanyZVPN&&Confidential".
值“CompanyXVPN”、“CompanyYVPN&&TopSecret”、“CompanyZVPN&&secretive”表示,对于适当的IPProtocolEndpoint和IdentityType,如果标识指定“CompanyXVPN”、“CompanyYVPN&&TopSecret”或“CompanyZVPN&&secretive”,则上下文匹配。
The property is defined as follows:
该属性的定义如下:
NAME IdentityContexts DESCRIPTION Specifies the context in which to select the IKE identity. SYNTAX string array
NAME IdentityContext DESCRIPTION指定在其中选择IKE标识的上下文。语法字符串数组
The class IPsecRule associates Conditions and Actions for IKE phase 2 negotiations for the IPsec DOI. The class definition for IPsecRule is as follows:
IPsecRule类将IPsec DOI的IKE阶段2协商的条件和操作关联起来。IPsecRule的类别定义如下:
NAME IPsecRule DESCRIPTION Associates Conditions and Actions for IKE phase 2 negotiations for the IPsec DOI. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same as SARule
名称IPsecRule描述将IPsec DOI的IKE阶段2协商的条件和操作关联起来。源自与SARule相同的SARule抽象假属性
The class IPsecPolicyForEndpoint associates a PolicyGroup with a specific network interface. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated PolicyGroup, then the IPsecPolicyForSystem associated PolicyGroup is used for that endpoint. The class definition for IPsecPolicyForEndpoint is as follows:
IPsecPolicyForEndpoint类将策略组与特定网络接口相关联。如果系统的IPProtocolEndpoint没有与IPsecPolicyForEndpoint关联的策略组,则该端点将使用与IPsecPolicyForSystem关联的策略组。IPsecPolicyForEndpoint的类定义如下:
NAME IPsecPolicyForEndpoint DESCRIPTION Associates a policy group to a network interface. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] Dependent[ref PolicyGroup[0..1]]
名称IPsecPolicyForEndpoint描述将策略组与网络接口相关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref IPProtocolEndpoint[0..n]]依赖项[ref PolicyGroup[0..1]]
The property Antecedent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint instance. The [0..n] cardinality indicates that a PolicyGroup instance may be associated with zero or more IPProtocolEndpoint instances.
属性Antecedent是从依赖项继承的,并被重写以引用IPProtocolendant实例。[0..n]基数表示一个PolicyGroup实例可能与零个或多个IPProtocLendPoint实例相关联。
The property Dependent is inherited from Dependency and is overridden to refer to a PolicyGroup instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance may have an association to at most one PolicyGroup instance.
依赖属性从依赖项继承,并被重写以引用PolicyGroup实例。[0..1]基数表示IPProtoClondPoint实例最多可以与一个PolicyGroup实例关联。
The class IPsecPolicyForSystem associates a PolicyGroup with a specific system. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated PolicyGroup, then the IPsecPolicyForSystem associated PolicyGroup is used for that endpoint. The class definition for IPsecPolicyForSystem is as follows:
IPsecPolicyForSystem类将策略组与特定系统相关联。如果系统的IPProtocolEndpoint没有与IPsecPolicyForEndpoint关联的策略组,则该端点将使用与IPsecPolicyForSystem关联的策略组。IPsecPolicyForSystem的类定义如下:
NAME IPsecPolicyForSystem DESCRIPTION Default policy group for a system. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[0..n]] Dependent[ref PolicyGroup[0..1]]
名称IPsecPolicyForSystem描述系统的默认策略组。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref System[0..n]]依赖项[ref PolicyGroup[0..1]]
The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [0..n] cardinality indicates that a PolicyGroup instance may have an association to zero or more System instances.
属性Antecedent从依赖项继承,并被重写以引用系统实例。[0..n]基数表示PolicyGroup实例可能与零个或多个系统实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to a PolicyGroup instance. The [0..1] cardinality indicates that a System instance may have an association to at most one PolicyGroup instance.
依赖属性从依赖项继承,并被重写以引用PolicyGroup实例。[0..1]基数表示系统实例最多可以与一个PolicyGroup实例关联。
The class SAConditionInRule associates an SARule with the SACondition instance(s) that trigger(s) it. The class definition for SAConditionInRule is as follows:
类SAConditionInRule将SARule与触发SARule的SACondition实例相关联。SAConditionInRule的类定义如下:
NAME SAConditionInRule DESCRIPTION Associates an SARule with the SACondition instance(s) that trigger(s) it. DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIME]) ABSTRACT FALSE
名称SAConditionInRule DESCRIPTION将SARule与触发SARule的SACondition实例相关联。派生自PolicyConditionInPolicyRule(请参见[PCIM]和[PCIME])摘要FALSE
PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) GroupComponent [ref SARule [0..n]] PartComponent [ref SACondition [1..n]]
属性GroupNumber(来自PolicyConditionInPolicyRule)ConditionNegated(来自PolicyConditionInPolicyRule)GroupComponent[ref SARule[0..n]]PartComponent[ref SACondition[1..n]]
For a description of these properties, see [PCIM].
有关这些属性的说明,请参见[PCIM]。
The property GroupComponent is inherited from PolicyConditionInPolicyRule and is overridden to refer to an SARule instance. The [0..n] cardinality indicates that an SACondition instance may be contained in zero or more SARule instances.
属性GroupComponent继承自PolicyConditionInPolicyRule,并被重写以引用SARule实例。[0..n]基数表示SACondition实例可能包含在零个或多个SARule实例中。
The property PartComponent is inherited from PolicyConditionInPolicyRule and is overridden to refer to an SACondition instance. The [1..n] cardinality indicates that an SARule instance MUST contain at least one SACondition instance.
属性PartComponent从PolicyConditionInPolicyRule继承,并被重写以引用SACondition实例。[1..n]基数表示SARule实例必须至少包含一个SACondition实例。
The PolicyActionInSARule class associates an SARule with one or more PolicyAction instances. In all cases where an SARule is being used, the contained actions MUST be either subclasses of SAAction or instances of CompoundPolicyAction. For an IKERule, the contained actions MUST be related to phase 1 processing, i.e., IKEAction or IKERejectAction. Similarly, for an IPsecRule, contained actions MUST be related to phase 2 or preconfigured SA processing, e.g., IPsecTransportAction, IPsecBypassAction, etc. The class definition for PolicyActionInSARule is as follows:
PolicyActionInSARule类将SARule与一个或多个PolicyAction实例相关联。在使用SARule的所有情况下,包含的操作必须是SAAction的子类或CompoundPolicyAction的实例。对于IKERule,包含的操作必须与阶段1处理相关,即IKEAction或IKERejectAction。同样,对于IPsecRule,包含的操作必须与第2阶段或预配置的SA处理相关,例如IPsecTransportAction、IPsecBypassAction等。PolicyActionInSARule的类定义如下:
NAME PolicyActionInSARule DESCRIPTION Associates an SARule with its PolicyAction(s). DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIME]) ABSTRACT FALSE PROPERTIES GroupComponent [ref SARule [0..n]] PartComponent [ref PolicyAction [1..n]] ActionOrder (from PolicyActionInPolicyRule)
名称PolicyActionInSARule描述将规则与其PolicyAction关联。派生自PolicyActionInPolicyRule(请参见[PCIM]和[PCIME])抽象假属性GroupComponent[ref SARule[0..n]]PartComponent[ref PolicyAction[1..n]]ActionOrder(来自PolicyActionInPolicyRule)
The property GroupComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SARule instance. The [0..n] cardinality indicates that an SAAction instance may be contained in zero or more SARule instances.
属性GroupComponent继承自PolicyActionInPolicyRule,并被重写以引用SARule实例。[0..n]基数表示SAAction实例可能包含在零个或多个SARule实例中。
The property PartComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SAAction or CompoundPolicyAction instance. The [1..n] cardinality indicates that an SARule instance MUST contain at least one SAAction or CompoundPolicyAction instance.
属性PartComponent继承自PolicyActionInPolicyRule,并被重写以引用SAAction或CompoundPolicyAction实例。[1..n]基数表示SARule实例必须至少包含一个SAAction或CompoundPolicyAction实例。
The property ActionOrder is inherited from the superclass PolicyActionInPolicyRule. It specifies the relative position of this PolicyAction in the sequence of actions associated with a PolicyRule. The ActionOrder MUST be unique so as to provide a deterministic order. In addition, the actions in an SARule are executed as follows. See section 4.2.2, ExecutionStrategy, for a discussion on the use of the ActionOrder property.
属性ActionOrder继承自超类PolicyActionInPolicyRule。它指定此PolicyAction在与PolicyRule关联的操作序列中的相对位置。ActionOrder必须是唯一的,以便提供确定性的顺序。此外,SARule中的操作执行如下。有关ActionOrder属性使用的讨论,请参见第4.2.2节ExecutionStrategy。
The property is defined as follows:
该属性的定义如下:
NAME ActionOrder DESCRIPTION Specifies the order of actions. SYNTAX unsigned 16-bit integer VALUE Any value between 1 and 2^16-1 inclusive. Lower values have higher precedence (i.e., 1 is the highest precedence). The merging order of two SAActions with the same precedence is undefined.
名称ActionOrder DESCRIPTION指定操作的顺序。语法无符号16位整数值介于1和2^16-1(含)之间的任何值。较低的值具有较高的优先级(即1是最高优先级)。具有相同优先级的两个动作的合并顺序未定义。
The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules.
IPsec条件和筛选器类用于构建IKE和IPsec规则的“如果”部分。
*+-------------+ +--------------------| SACondition | | +-------------+ | * | | |(a) | 1 | | +---------------+ | | FilterList | | |([CIMNETWORK]) | | +---------------+ | 1 o |(b) |(c) | * | | +-----------------+ | | FilterEntryBase | | | ([CIMNETWORK]) | | +-----------------+ | ^ | | | +-----------------+ | +-----------------------+ | | IPHeadersFilter |----+----| CredentialFilterEntry | | | ([PCIME]) | | +-----------------------+ | +-----------------+ | | | | +-----------------+ | +--------------------------+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | +-----------------+ +--------------------------+ | | *+-----------------------------+ +------------| CredentialManagementService | | ([CIMUSER]) | +-----------------------------+
*+-------------+ +--------------------| SACondition | | +-------------+ | * | | |(a) | 1 | | +---------------+ | | FilterList | | |([CIMNETWORK]) | | +---------------+ | 1 o |(b) |(c) | * | | +-----------------+ | | FilterEntryBase | | | ([CIMNETWORK]) | | +-----------------+ | ^ | | | +-----------------+ | +-----------------------+ | | IPHeadersFilter |----+----| CredentialFilterEntry | | | ([PCIME]) | | +-----------------------+ | +-----------------+ | | | | +-----------------+ | +--------------------------+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | +-----------------+ +--------------------------+ | | *+-----------------------------+ +------------| CredentialManagementService | | ([CIMUSER]) | +-----------------------------+
(a) FilterOfSACondition (b) AcceptCredentialsFrom (c) EntriesInFilterList (see [CIMNETWORK])
(a) 过滤器条件(b)接受来自(c)入口过滤器列表的凭证(请参阅[CIMNETWORK])
The class SACondition defines the conditions of rules for IKE and IPsec negotiations. Conditions are associated with policy rules via the SAConditionInRule aggregation. It is used as an anchor point to associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association.
类SACondition定义IKE和IPsec协商的规则条件。条件通过SAConditionInRule聚合与策略规则关联。它用作锚定点,通过FilterOffsaCondition关联将各种类型的筛选器与策略规则关联。它还定义是否可以通过AcceptCredentialsFrom关联接受特定策略规则的凭据。
Associated objects represent components of the condition that may or may not apply at a given rule evaluation. For example, an AcceptCredentialsFrom evaluation is only performed when a credential is available to be evaluated against the list of trusted credential management services. Similarly, a PeerIDPayloadFilterEntry may only be evaluated when an IDPayload value is available to compare with the filter. Condition components that do not have corresponding values with which to evaluate are evaluated as TRUE unless the protocol has completed without providing the required information.
关联对象表示条件的组件,这些组件在给定的规则评估中可能适用,也可能不适用。例如,AcceptCredentialsFrom评估仅在凭证可根据受信任的凭证管理服务列表进行评估时执行。类似地,PeerIDPayloadFilterEntry只能在IDPayload值可与筛选器进行比较时进行评估。除非协议已完成且未提供所需信息,否则没有用于评估的相应值的条件组件将被评估为真。
The class definition for SACondition is as follows:
SACondition的类定义如下:
NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition)
NAME SACondition DESCRIPTION定义IKE和IPsec协商的先决条件。派生自PolicyCondition(请参见[PCIM])抽象假属性PolicyConditionName(来自PolicyCondition)
The class IPHeadersFilter is defined in [PCIME] with the following note:
[PCIME]中定义了IPHeadersFilter类,并附有以下注释:
1) to specify 5-tuple filters that are to apply symmetrically (i.e., matches traffic in both directions of the same flows which is quite typical for SPD entries for ingress and egress traffic), the Direction property of the FilterList SHOULD be set to "Mirrored".
1) 要指定对称应用的5元组过滤器(即,匹配同一流量的两个方向上的流量,这对于入口和出口流量的SPD条目非常典型),过滤器列表的方向属性应设置为“镜像”。
The class CredentialFilterEntry defines an equivalence class that match credentials of IKE peers. Each CredentialFilterEntry includes a MatchFieldName that is interpreted according to the CredentialManagementService(s) associated with the SACondition (AcceptCredentialsFrom).
类CredentialFilterEntry定义了一个与IKE对等方的凭据匹配的等价类。每个CredentialFilterEntry都包含一个匹配字段名,该字段名根据与SACondition(AcceptCredentialsFrom)关联的CredentialManagementService进行解释。
These credentials can be X.509 certificates, Kerberos tickets, or other types of credentials obtained during the Phase 1 exchange.
这些凭据可以是X.509证书、Kerberos票证或在第1阶段交换期间获得的其他类型的凭据。
Note: this filter entry will probably be checked while the IKE negotiation takes place. If the check is a failure, then the IKE negotiation MUST be stopped, and the result of the IKEAction which triggered this negotiation is a failure.
注意:在进行IKE协商时,可能会检查此筛选器条目。如果检查失败,则必须停止IKE协商,触发此协商的IKEAction的结果为失败。
The class definition for CredentialFilterEntry is as follows:
CredentialFilterEntry的类定义如下:
NAME CredentialFilterEntry DESCRIPTION Specifies a match filter based on the IKE credentials. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchFieldName MatchFieldValue CredentialType
NAME CredentialFilterEntry DESCRIPTION指定基于IKE凭据的匹配筛选器。派生自FilterEntryBase(请参见[CIMNETWORK])抽象假属性名称(来自FilterEntryBase)被否定(来自FilterEntryBase)MatchFieldName MatchFieldValue CredentialType
The property MatchFieldName specifies the sub-part of the credential to match against MatchFieldValue. The property is defined as follows:
属性MatchFieldName指定要与MatchFieldValue匹配的凭证的子部分。该属性的定义如下:
NAME MatchFieldName DESCRIPTION Specifies which sub-part of the credential to match. SYNTAX string VALUE This is the string representation of a X.509 certificate attribute, e.g.: - "serialNumber" - "signatureAlgorithm" - "issuerName" - "subjectName" - "subjectAltName" - ...
NAME MatchFieldName DESCRIPTION指定要匹配凭证的哪个子部分。语法字符串值这是X.509证书属性的字符串表示形式,例如:-“serialNumber”-“signatureAlgorithm”-“issuerName”-“subjectName”-“SubjectalName”-。。。
The property MatchFieldValue specifies the value to compare with the MatchFieldName in a credential to determine if the credential matches this filter entry. The property is defined as follows:
属性MatchFieldValue指定要与凭证中的MatchFieldName进行比较的值,以确定凭证是否与此筛选器条目匹配。该属性的定义如下:
NAME MatchFieldValue DESCRIPTION Specifies the value to be matched by the MatchFieldName.
名称MatchFieldValue DESCRIPTION指定要由MatchFieldName匹配的值。
SYNTAX string VALUE NB: If the CredentialFilterEntry corresponds to a DistinguishedName, this value in the CIM class is represented by an ordinary string value. However, an implementation must convert this string to a DER-encoded string before matching against the values extracted from credentials at runtime.
语法字符串值NB:如果CredentialFilterEntry对应于DiscrimitedName,则CIM类中的此值由普通字符串值表示。但是,实现必须将此字符串转换为DER编码的字符串,然后才能在运行时与从凭据中提取的值进行匹配。
A wildcard mechanism may be used for MatchFieldNames that contain character strings. The MatchFieldValue may contain a wildcard character, '*', in the pattern match specification. For example, if the MatchFieldName is "subjectName", then a MatchFieldValue of "cn=*,ou=engineering,o=foo,c=be" will successfully match a certificate whose subject attribute is "cn=Jane Doe,ou=engineering,o=foo,c=be". The wildcard character can be used to represent 0 or more characters as would be displayed to the user (i.e., a wildcard pattern match operates on displayable character boundaries).
通配符机制可用于包含字符串的MatchFieldName。MatchFieldValue在模式匹配规范中可能包含通配符“*”。例如,如果MatchFieldName为“subjectName”,则“cn=*,ou=engineering,o=foo,c=be”的MatchFieldValue将成功匹配主题属性为“cn=Jane Doe,ou=engineering,o=foo,c=be”的证书。通配符可用于表示将向用户显示的0个或多个字符(即,通配符模式匹配在可显示的字符边界上操作)。
The property CredentialType specifies the particular type of credential that is being matched. The property is defined as follows:
属性CredentialType指定要匹配的特定凭据类型。该属性的定义如下:
NAME CredentialType DESCRIPTION Defines the type of IKE credentials. SYNTAX unsigned 16-bit integer VALUE 1 - X.509 Certificate 2 - Kerberos Ticket
NAME CredentialType DESCRIPTION定义IKE凭据的类型。语法无符号16位整数值1-X.509证书2-Kerberos票证
The class IPSOFilterEntry is used to match traffic based on the IP Security Options [IPSO] header values (ClassificationLevel and ProtectionAuthority) as defined in RFC 1108. This type of filter entry is used to adjust the IPsec encryption level according to the IPSO classification of the traffic (e.g., secret, confidential, restricted, etc.) The class definition for IPSOFilterEntry is as follows:
IPSOFilterEntry类用于根据RFC 1108中定义的IP安全选项[IPSO]头值(ClassificationLevel和ProtectionAuthority)匹配流量。此类型的筛选器条目用于根据通信量的IPSO分类(例如,机密、机密、受限等)调整IPsec加密级别。IPSOFilterEntry的类定义如下:
NAME IPSOFilterEntry DESCRIPTION Specifies the a match filter based on IP Security Options. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE
名称IPSOFilterEntry DESCRIPTION指定基于IP安全选项的匹配筛选器。源自FilterEntryBase(参见[CIMNETWORK])摘要FALSE
PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchConditionType MatchConditionValue
属性名称(来自FilterEntryBase)被否定(来自FilterEntryBase)MatchConditionType MatchConditionValue
The property MatchConditionType specifies the IPSO header field that will be matched (e.g., traffic classification level or protection authority). The property is defined as follows:
属性MatchConditionType指定要匹配的IPSO标头字段(例如,流量分类级别或保护机构)。该属性的定义如下:
NAME MatchConditionType DESCRIPTION Specifies the IPSO header field to be matched. SYNTAX unsigned 16-bit integer VALUE 1 - ClassificationLevel 2 - ProtectionAuthority
NAME MatchConditionType DESCRIPTION指定要匹配的IPSO标头字段。语法无符号16位整数值1-分类级别2-保护权限
The property MatchConditionValue specifies the value of the IPSO header field to be matched against. The property is defined as follows:
属性MatchConditionValue指定要匹配的IPSO标头字段的值。该属性的定义如下:
NAME MatchConditionValue DESCRIPTION Specifies the value of the IPSO header field to be matched against. SYNTAX unsigned 16-bit integer VALUE The values MUST be one of values listed in RFC 1108 (or any further IANA Assigned Numbers document). Some examples for ClassificationLevel are: 61 - TopSecret 90 - Secret 150 - Confidential 171 - Unclassified For ProtectionAuthority, some examples are: 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE
NAME MatchConditionValue DESCRIPTION指定要匹配的IPSO标头字段的值。语法无符号16位整数值该值必须是RFC 1108(或任何其他IANA赋值文件)中列出的值之一。分类级别的一些示例为:61-最高机密90-机密150-机密171-未分类保护权限,一些示例为:0-发电机1-SIOP-ESI 2-SCI 3-NSA 4-DOE
The class PeerIDPayloadFilterEntry defines filters used to match ID payload values from the IKE protocol exchange. PeerIDPayloadFilterEntry permits the specification of certain ID payload values such as "*@example.com" or "192.0.2.0/24".
类PeerIDPayloadFilterEntry定义用于匹配来自IKE协议交换的ID有效负载值的筛选器。PeerIDPayloadFilterEntry允许指定某些ID有效负载值,如“*@example.com”或“192.0.2.0/24”。
Obviously this filter applies only to IKERules when acting as a responder. Moreover, this filter can be applied immediately in the case of aggressive mode but its application is to be delayed in the case of main mode. The class definition for PeerIDPayloadFilterEntry is as follows:
显然,当作为响应者时,此过滤器仅适用于IKERules。此外,该滤波器可在主动模式下立即应用,但在主模式下其应用将延迟。PeerIDPayloadFilterEntry的类定义如下:
NAME PeerIDPayloadFilterEntry DESCRIPTION Specifies a match filter based on IKE identity. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchIdentityType MatchIdentityValue
名称PeerIDPayloadFilterEntry描述基于IKE标识指定匹配筛选器。派生自FilterEntryBase(请参见[CIMNETWORK])抽象假属性名称(来自FilterEntryBase)被否定(来自FilterEntryBase)匹配标识类型匹配标识值
The property MatchIdentityType specifies the type of identity provided by the peer in the ID payload. The property is defined as follows:
属性MatchIdentityType指定ID负载中对等方提供的标识类型。该属性的定义如下:
NAME MatchIdentityType DESCRIPTION Specifies the ID payload type. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
NAME MatchIdentityType DESCRIPTION指定ID有效负载类型。语法无符号16位整数值请咨询[DOI]以获取有效值。
5.5.2. The Property MatchIdentityValue
5.5.2. 属性MatchIdentityValue
The property MatchIdentityValue specifies the filter value for comparison with the ID payload, e.g., "*@example.com". The property is defined as follows:
属性MatchIdentityValue指定用于与ID有效负载进行比较的筛选器值,例如“*@example.com”。该属性的定义如下:
NAME MatchIdentityValue DESCRIPTION Specifies the ID payload value. SYNTAX string VALUE NB: The syntax may need to be converted for comparison. If the PeerIDPayloadFilterEntry type is a DistinguishedName, the name in the MatchIdentityValue property is represented by an ordinary string value, but this value must be converted into a DER-encoded string before matching against the values extracted from IKE ID payloads at runtime. The same applies to IPv4 & IPv6 addresses.
NAME MatchIdentityValue DESCRIPTION指定ID有效负载值。语法字符串值NB:可能需要转换语法以进行比较。如果PeerIDPayloadFilterEntry类型是一个DifferentizedName,则MatchIdentityValue属性中的名称由普通字符串值表示,但在与运行时从IKE ID有效负载提取的值进行匹配之前,必须将该值转换为DER编码的字符串。这同样适用于IPv4和IPv6地址。
Different wildcard mechanisms can be used depending on the ID payload:
根据ID有效负载,可以使用不同的通配符机制:
- a MatchIdentityValue of "*@example.com" will match a user FQDN ID payload of "JDOE@EXAMPLE.COM".
- “*@example.com”的MatchIdentityValue将与用户FQDN ID有效负载匹配JDOE@EXAMPLE.COM".
- a MatchIdentityValue of "*.example.com" will match a FQDN ID payload of "WWW.EXAMPLE.COM".
- “*.example.com”的MatchIdentityValue将与“WWW.example.com”的FQDN ID有效负载匹配。
- a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will match a DER DN ID payload of "cn=John Doe,ou=engineering,o=company,c=us".
- 匹配标识值“cn=*,ou=工程,o=公司,c=美国”将匹配DER DN ID有效载荷“cn=John Doe,ou=工程,o=公司,c=美国”。
- a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 address ID payload of 193.190.125.10.
- MatchIdentity值“193.190.125.0/24”将与IPv4地址ID有效负载193.190.125.10相匹配。
- a MatchIdentityValue of "193.190.125.*" will also match an IPv4 address ID payload of 193.190.125.10.
- MatchIdentity值“193.190.125.*”也将与IPv4地址ID有效负载193.190.125.10相匹配。
The above wildcard mechanisms MUST be supported for all ID payloads supported by the local IKE entity. The character '*' replaces 0 or multiple instances of any character as restricted by the type specified by MatchIdentityType.
对于本地IKE实体支持的所有ID有效负载,必须支持上述通配符机制。字符“*”替换由MatchIdentityType指定的类型限制的任何字符的0个或多个实例。
The class FilterOfSACondition associates an SACondition with the filter specifications (FilterList) that make up the condition. The class definition for FilterOfSACondition is as follows:
类FilterOffsaCondition将SACondition与构成该条件的筛选器规范(FilterList)相关联。FilterOffsaCondition的类定义如下:
NAME FilterOfSACondition DESCRIPTION Associates a condition with the filter list that makes up the individual condition elements. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref FilterList[1..1]] Dependent [ref SACondition[0..n]]
名称FilterOffsaCondition描述将条件与构成单个条件元素的筛选器列表相关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref FilterList[1..1]]依赖项[ref SACondition[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to a FilterList instance. The [1..1] cardinality indicates that an SACondition instance MUST be associated with one and only one FilterList instance.
属性Antecedent从依赖项继承,并被重写以引用FilterList实例。[1..1]基数表示SACondition实例必须与一个且仅与一个FilterList实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to an SACondition instance. The [0..n] cardinality indicates that a FilterList instance may be associated with zero or more SACondition instances.
依赖属性从依赖项继承,并被重写以引用SACondition实例。[0..n]基数表示FilterList实例可能与零个或多个SACondition实例关联。
The class AcceptCredentialFrom specifies which credential management services (e.g., a CertificateAuthority or a Kerberos service) are to be trusted to certify peer credentials. This is used to assure that the credential being matched in the CredentialFilterEntry is a valid credential that has been supplied by an approved CredentialManagementService. If a CredentialManagementService is specified and a corresponding CredentialFilterEntry is used, but the credential supplied by the peer is not certified by that CredentialManagementService (or one of the CredentialManagementServices in its trust hierarchy), the CredentialFilterEntry is deemed not to match. If a credential is certified by a CredentialManagementService in the AcceptCredentialsFrom list of services, but there is no CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry that matches all credentials from those services.
类AcceptCredentialFrom指定要信任哪些凭据管理服务(例如,CertificateAuthority或Kerberos服务)来认证对等凭据。这用于确保在CredentialFilterEntry中匹配的凭据是由approved CredentialManager服务提供的有效凭据。如果指定了CredentialManagementService并使用了相应的CredentialFilterEntry,但对等方提供的凭据未经该CredentialManagementService(或其信任层次结构中的一个CredentialManagementServices)认证,则认为CredentialFilterEntry不匹配。如果凭据由AcceptCredentialFrom服务列表中的CredentialManagementService认证,但没有CredentialFilterEntry,则认为这等同于匹配这些服务中所有凭据的CredentialFilterEntry。
The class definition for AcceptCredentialFrom is as follows:
AcceptCredentialFrom的类定义如下:
NAME AcceptCredentialFrom DESCRIPTION Associates a condition with the credential management services to be trusted. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService[0..n]] Dependent [ref SACondition[0..n]]
名称AcceptCredentialFrom DESCRIPTION将条件与要信任的凭据管理服务相关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref-CredentialManagementService[0..n]]依赖项[ref-SACondition[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an SACondition instance may be associated with zero or more CredentialManagementService instances.
属性Antecedent从依赖项继承,并被重写以引用CredentialManagementService实例。[0..n]基数表示SACondition实例可能与零个或多个CredentialManagementService实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to a SACondition instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more SACondition instances.
依赖属性从依赖项继承,并被重写以引用SACondition实例。[0..n]基数表示CredentialManagementService实例可能与零个或多个SACondition实例关联。
The action classes are used to model the different actions an IPsec device may take when the evaluation of the associated condition results in a match.
action类用于对IPsec设备在关联条件的评估导致匹配时可能采取的不同操作进行建模。
+----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | | +---------------------+ | | SaNegotiationAction | | +---------------------+ | ^ | | +----------------+ +----------------------+* | SAStaticAction | | IKENegotiationAction |o----+ +----------------+ +----------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | *| | | +--------------+ | | | | +-----------------------+ | | +--------------+n | | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ +-----------------------+ | +--------------+ (b) *| ^ | | | | *+-------------+ | | +-------| PeerGateway | | | +-------------+ | | +-----------------------------+ |0..1 *w| | +--| PreconfiguredTransportAction| | |(c) | | +-----------------------------+ | 1| | | | +--------------+ | | +---------------------------+ * | | System | | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | | +---------------------------+ (e) +--------------+ |
+----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | | +---------------------+ | | SaNegotiationAction | | +---------------------+ | ^ | | +----------------+ +----------------------+* | SAStaticAction | | IKENegotiationAction |o----+ +----------------+ +----------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | *| | | +--------------+ | | | | +-----------------------+ | | +--------------+n | | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ +-----------------------+ | +--------------+ (b) *| ^ | | | | *+-------------+ | | +-------| PeerGateway | | | +-------------+ | | +-----------------------------+ |0..1 *w| | +--| PreconfiguredTransportAction| | |(c) | | +-----------------------------+ | 1| | | | +--------------+ | | +---------------------------+ * | | System | | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | | +---------------------------+ (e) +--------------+ |
| 2..6+---------------+ +-------| [SATransform] | (d) +---------------+
| 2..6+---------------+ +-------| [SATransform] | (d) +---------------+
(a) PeerGatewayForTunnel (b) ContainedProposal (c) HostedPeerGatewayInformation (d) TransformOfPreconfiguredAction (e) PeerGatewayForPreconfiguredTunnel
(a) PeerGatewayForTunnel (b) ContainedProposal (c) HostedPeerGatewayInformation (d) TransformOfPreconfiguredAction (e) PeerGatewayForPreconfiguredTunnel
The class SAAction is abstract and serves as the base class for IKE and IPsec actions. It is used for aggregating different types of actions to IKE and IPsec rules. The class definition for SAAction is as follows:
类SAAction是抽象的,用作IKE和IPsec操作的基类。它用于将不同类型的操作聚合到IKE和IPsec规则。SAAction的类定义如下:
NAME SAAction DESCRIPTION The base class for IKE and IPsec actions. DERIVED FROM PolicyAction (see [PCIM]) ABSTRACT TRUE PROPERTIES PolicyActionName (from PolicyAction) DoActionLogging DoPacketLogging
名称SAAction DESCRIPTION是IKE和IPsec操作的基类。派生自PolicyAction(请参见[PCIM])抽象真实属性PolicyActionName(来自PolicyAction)DoActionLogging DoPacketLogging
The property DoActionLogging specifies whether a log message is to be generated when the action is performed. This applies for SANegotiationActions with the meaning of logging a message when the negotiation is attempted (with the success or failure result). This also applies for SAStaticAction only for PreconfiguredSAAction with the meaning of logging a message when the preconfigured SA is actually installed in the SADB. The property is defined as follows:
属性DoActionLogging指定在执行操作时是否生成日志消息。这适用于SANegotiationActions,其含义是在尝试协商时记录消息(结果为成功或失败)。这也适用于SAStaticAction,仅适用于在SADB中实际安装预配置SA时记录消息的预配置SA操作。该属性的定义如下:
NAME DoActionLogging DESCRIPTION Specifies the whether to log when the action is performed. SYNTAX boolean VALUE true - a log message is to be generated when action is performed. false - no log message is to be generated when action is performed.
NAME DoActionLogging DESCRIPTION指定在执行操作时是否进行日志记录。语法布尔值true-执行操作时将生成日志消息。false-执行操作时不生成日志消息。
The property DoPacketLogging specifies whether a log message is to be generated when the resulting security association is used to process the packet. If the SANegotiationAction successfully executes and results in the creation of one or several security associations, or if the PreconfiguredSAAction executes, the value of DoPacketLogging SHOULD be propagated to an optional field of SADB. This optional field should be used to decide whether a log message is to be generated when the SA is used to process a packet. For SAStaticActions, a log message is to be generated when the IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are executed. The property is defined as follows:
属性DoPacketLogging指定在使用生成的安全关联处理数据包时是否生成日志消息。如果SANegotiationAction成功执行并导致创建一个或多个安全关联,或者如果预配置的SAAction执行,则DoPacketLogging的值应传播到SADB的可选字段。此可选字段应用于决定在使用SA处理数据包时是否生成日志消息。对于SAStaticActions,将在执行IPsecBypassAction、IPsecDiscardAction或IKERejectAction时生成日志消息。该属性的定义如下:
NAME DoPacketLogging DESCRIPTION Specifies whether to log when the resulting security association is used to process the packet. SYNTAX boolean VALUE true - a log message is to be generated when the resulting security association is used to process the packet. false - no log message is to be generated.
NAME DoPacketLogging DESCRIPTION指定在使用生成的安全关联处理数据包时是否进行日志记录。语法布尔值true-当生成的安全关联用于处理数据包时,将生成日志消息。false-不生成任何日志消息。
The class SAStaticAction is abstract and serves as the base class for IKE and IPsec actions that do not require any negotiation. The class definition for SAStaticAction is as follows:
类SAStaticAction是抽象的,并作为不需要任何协商的IKE和IPsec操作的基类。sastatication的类定义如下所示:
NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction ABSTRACT TRUE PROPERTIES LifetimeSeconds
NAME SAStaticAction DESCRIPTION不需要任何协商的IKE和IPsec操作的基类。派生自SAAction抽象真实属性LifetimeSeconds
The property LifetimeSeconds specifies how long the security association derived from this action should be used. The property is defined as follows:
属性LifetimeSeconds指定从该操作派生的安全关联应使用多长时间。该属性的定义如下:
NAME LifetimeSeconds DESCRIPTION Specifies the amount of time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned 64-bit integer
NAME LifetimeSeconds DESCRIPTION指定从此操作派生的安全关联应使用的时间量(以秒为单位)。语法无符号64位整数
VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is typically used in conjunction with alternate SAActions performed when there is a negotiation failure of some sort.
值零表示没有与此操作关联的生存期(即无限生存期)。当出现某种协商失败时,非零值通常与执行的备用动作一起使用。
Note: if the referenced SAStaticAction object is a PreconfiguredSAAction associated to several SATransforms, then the actual lifetime of the preconfigured SA will be the lesser of the value of this LifetimeSeconds property and of the value of the MaxLifetimeSeconds property of the associated SATransform. If the value of this LifetimeSeconds property is zero, then there will be no lifetime associated to this SA.
注意:如果引用的SAStaticAction对象是与多个SatTransforms关联的预配置SaaAction,则预配置SA的实际生存期将是此LifetimeSeconds属性的值和关联SatTransform的MaxLifetimeSeconds属性的值中的较小者。如果此LifetimeSeconds属性的值为零,则没有与此SA关联的生存期。
Note: while some SA negotiation protocols [IKE] can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然一些SA协商协议[IKE]可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
It is expected that most SAStaticAction instances will have their LifetimeSeconds properties set to zero (meaning no expiration of the resulting SA).
预计大多数SAStaticAction实例的lifetimesconds属性都将设置为零(这意味着生成的SA不会过期)。
The class IPsecBypassAction is used when packets are allowed to be processed without applying IPsec encapsulation to them. This is the same as stating that packets are allowed to flow in the clear. The class definition for IPsecBypassAction is as follows:
当允许在不对数据包应用IPsec封装的情况下处理数据包时,使用IPsecBypassAction类。这与声明允许数据包在clear中流动相同。IPsecBypassAction的类定义如下:
NAME IPsecBypassAction DESCRIPTION Specifies that packets are to be allowed to pass in the clear. DERIVED FROM SAStaticAction ABSTRACT FALSE
NAME IPsecBypassAction DESCRIPTION指定允许数据包以清除方式通过。源于sastatication抽象FALSE
The class IPsecDiscardAction is used when packets are to be discarded. This is the same as stating that packets are to be denied. The class definition for IPsecDiscardAction is as follows:
IPsecDiscardAction类用于丢弃数据包。这与声明要拒绝数据包相同。IPsecDiscardAction的类定义如下:
NAME IPsecDiscardAction DESCRIPTION Specifies that packets are to be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE
NAME IPsecDiscardAction DESCRIPTION指定要丢弃的数据包。源于sastatication抽象FALSE
The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The main use of this class is to prevent some denial of service attacks when acting as IKE responder. It goes beyond a plain discard of UDP/500 IKE packets because the SACondition can be based on specific PeerIDPayloadFilterEntry (when aggressive mode is used). The class definition for IKERejectAction is as follows:
类IKERejectAction用于防止尝试与对等方进行IKE协商。此类的主要用途是在充当IKE响应程序时防止一些拒绝服务攻击。它超越了UDP/500 IKE数据包的简单丢弃,因为SACondition可以基于特定的PeerIDPayloadFilterEntry(当使用攻击模式时)。IKERejectAction的类定义如下:
NAME IKERejectAction DESCRIPTION Specifies that an IKE negotiation should not even be attempted or continued. DERIVED FROM SAStaticAction ABSTRACT FALSE
名称IKERejectAction DESCRIPTION指定甚至不应尝试或继续IKE协商。源于sastatication抽象FALSE
The class PreconfiguredSAAction is used to create a security association using preconfigured, hard-wired algorithms and keys.
类PreconfiguredSAAction用于使用预配置的硬连线算法和密钥创建安全关联。
Notes:
笔记:
- the SPI for a PreconfiguredSAAction is contained in the association, TransformOfPreconfiguredAction;
- 预配置动作的SPI包含在关联TransformOfPreconfiguredAction中;
- the session key (if applicable) is contained in an instance of the class SharedSecret (see [CIMUSER]). The session key is stored in the property Secret, the property protocol contains either "ESP-encrypt", "ESP-auth" or "AH", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID is the concatenation of the remote IPsec peer IP address in dotted decimal, of the character "/", of "IN" (respectively "OUT") for inbound SA (respectively outbound SA), of the character "/", and of the hexadecimal representation of the SPI.
- 会话密钥(如果适用)包含在SharedSecret类的实例中(请参见[CIMUSER])。会话密钥存储在属性机密中,属性协议包含“ESP encrypt”、“ESP auth”或“AH”,属性算法包含用于保护机密的算法(如果IPsec实体没有机密存储,则可以是“明文”),属性RemoteID的值是远程IPsec对等IP地址(以点十进制表示)、入站SA(分别为出站SA)的“/”字符、“in”(分别为“OUT”)字符、“/”字符以及SPI的十六进制表示形式的串联。
Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows:
尽管该类是具体的,但它不能被实例化。预配置动作的类定义如下:
NAME PreconfiguredSAAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction ABSTRACT TRUE PROPERTIES LifetimeKilobytes
名称预配置操作说明指定用于创建安全关联的预配置算法和密钥信息。派生自SAStaticAction抽象真实属性lifeTimeKB
The property LifetimeKilobytes specifies a traffic limit in kilobytes that can be consumed before the SA is deleted. The property is defined as follows:
属性LifetimeKilobytes指定在删除SA之前可以使用的流量限制(以KB为单位)。该属性的定义如下:
NAME LifetimeKilobytes DESCRIPTION Specifies the SA lifetime in kilobytes. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is used to indicate that after this number of kilobytes has been consumed the SA must be deleted from the SADB.
NAME LifetimeKilobytes DESCRIPTION以千字节为单位指定SA生存期。语法无符号64位整数值零值表示没有与此操作关联的生存期(即无限生存期)。非零值用于指示在消耗了此千字节数后,必须从SADB中删除SA。
Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this LifetimeKilobytes property and of the value of the MaxLifetimeSeconds property of the associated SATransform. If the value of this LifetimeKilobytes property is zero, then there will be no lifetime associated with this action.
注意:预配置SA的实际生存期将是此LifetimeKilobytes属性值和关联SATTransform的MaxLifetimeSeconds属性值中的较小值。如果此LifetimeKilobytes属性的值为零,则将没有与此操作关联的生存期。
Note: while some SA negotiation protocols [IKE] can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然一些SA协商协议[IKE]可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
It is expected that most PreconfiguredSAAction instances will have their LifetimeKilobyte properties set to zero (meaning no expiration of the resulting SA).
预计大多数预配置的SA操作实例的LifetimeKB属性都将设置为零(这意味着结果SA不会过期)。
The class PreconfiguredTransportAction is used to create an IPsec transport-mode security association using preconfigured, hard-wired algorithms and keys. The class definition for PreconfiguredTransportAction is as follows:
类PreconfiguredTransportAction用于使用预配置的硬连线算法和密钥创建IPsec传输模式安全关联。预配置TransportAction的类定义如下:
NAME PreconfiguredTransportAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec transport security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE
名称预配置传输操作说明指定用于创建IPsec传输安全关联的预配置算法和密钥信息。源自预配置的动作摘要FALSE
The class PreconfiguredTunnelAction is used to create an IPsec tunnel-mode security association using preconfigured, hard-wired algorithms and keys. The class definition for PreconfiguredSAAction is as follows:
类PreconfiguredTunnelation用于使用预配置的硬连线算法和密钥创建IPsec隧道模式安全关联。预配置动作的类定义如下:
NAME PreconfiguredTunnelAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec tunnel-mode security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE PROPERTIES DFHandling
NAME PreconfiguredTunnelAction DESCRIPTION指定用于创建IPsec隧道模式安全关联的预配置算法和密钥信息。源自预配置的动作抽象错误属性DFHandling
The property DFHandling specifies how the Don't Fragment (DF) bit of the internal IP header is to be handled during IPsec processing. The property is defined as follows:
属性DFHandling指定在IPsec处理过程中如何处理内部IP头的Do-Not Fragment(DF)位。该属性的定义如下:
NAME DFHandling DESCRIPTION Specifies the processing of the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0.
名称DFHandling DESCRIPTION指定DF位的处理。语法无符号16位整数值1-将DF位从内部IP头复制到外部IP头。2-将外部IP头的DF位设置为1。3-将外部IP标头的DF位清除为0。
The class SANegotiationAction specifies an action requesting security policy negotiation.
类SANegotiationAction指定请求安全策略协商的操作。
This is an abstract class. Currently, only one security policy negotiation protocol action is subclassed from SANegotiationAction: the IKENegotiationAction class. It is nevertheless expected that other security policy negotiation protocols will exist and the negotiation actions of those new protocols would be modeled as a subclass of SANegotiationAction.
这是一个抽象类。目前,只有一个安全策略协商协议操作是SANegotiationAction的子类:IkenGotiationAction类。尽管如此,预计还会存在其他安全策略协商协议,这些新协议的协商操作将被建模为SANegotiationAction的子类。
NAME SANegotiationAction DESCRIPTION Specifies a negotiation action. DERIVED FROM SAAction ABSTRACT TRUE
名称SANegotiationAction DESCRIPTION指定协商操作。源于SAAction抽象TRUE
The class IKENegotiationAction is abstract and serves as the base class for IKE and IPsec actions that result in an IKE negotiation. The class definition for IKENegotiationAction is as follows:
类IKENegotiationAction是抽象的,用作导致IKE协商的IKE和IPsec操作的基类。IKENegotiationAction的类定义如下:
NAME IKENegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT TRUE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes IdleDurationSeconds
名称IKENegotiationAction描述IKE和IPsec操作的基类,指定IKE阶段1和IKE阶段2 IPsec DOI协商的常用参数。派生自SANegotiationAction抽象真实属性MinLifetimeSeconds MinLifetimeKilobytes IdleDurationSeconds
The property MinLifetimeSeconds specifies the minimum seconds in a lifetime that will be accepted from the peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with expensive Diffie-Hellman operations. The property is defined as follows:
属性MinLifetimeSeconds指定生存期中从对等方接受的最短秒数。MinLifetimeSeconds用于防止某些拒绝服务攻击,当对等方请求任意低的生存期值时,会导致使用昂贵的Diffie-Hellman操作进行重新协商。该属性的定义如下:
NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum seconds acceptable in a lifetime. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime.
NAME MinLifetimeSeconds DESCRIPTION指定生存期中可接受的最小秒数。语法无符号64位整数值零表示没有最小值。非零值指定最短生存时间秒数。
Note: while IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然IKE可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
The property MinLifetimeKilobytes specifies the minimum kilobytes of a lifetime that will be accepted from the peer. MinLifetimeKilobytes is used to prevent certain denial of service attacks, where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. Note that there has been considerable debate regarding the usefulness of applying kilobyte lifetimes to IKE phase 1 security associations, so it is likely that this property will only apply to the sub-class IPsecAction. The property is defined as follows:
属性MinLifetimeKilobytes指定将从对等方接受的生存期的最小KB。MinLifetimeKilobytes用于防止某些拒绝服务攻击,其中对等方请求任意低的生存期值,从而导致使用相应昂贵的Diffie-Hellman操作进行重新协商。请注意,对于将KB生存期应用于IKE第1阶段安全关联的有用性,存在着相当多的争论,因此该属性很可能仅适用于子类IPsecAction。该属性的定义如下:
NAME MinLifetimeKilobytes DESCRIPTION Specifies the minimum kilobytes acceptable in a lifetime. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum kilobytes lifetime.
NAME MinLifetimeKilobytes DESCRIPTION指定生存期中可接受的最小KB。语法无符号64位整数值零表示没有最小值。非零值指定最小KB生存期。
Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然IKE可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
The property IdleDurationSeconds specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. The property is defined as follows:
属性IdleDurationSeconds指定安全关联在被删除之前可以保持空闲的时间(即,没有使用安全关联保护的流量)。该属性的定义如下:
NAME IdleDurationSeconds DESCRIPTION Specifies how long, in seconds, a security association may remain unused before it is deleted. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used). Any non-zero value indicates the number of seconds the security association may remain unused.
NAME IdleDurationSeconds DESCRIPTION指定安全关联在被删除之前可以保持未使用状态的时间(以秒为单位)。语法无符号64位整数值零值表示不应将空闲检测用于安全关联(仅使用秒和千字节生存时间)。任何非零值都表示安全关联可能未使用的秒数。
The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. The class definition for IPsecAction is as follows:
IPsecAction类用作IPsec传输和隧道操作的基类。它指定用于IKE阶段2 IPsec DOI协商的参数。IPsecAction的类定义如下:
NAME IPsecAction DESCRIPTION A base class for IPsec transport and tunnel actions that specifies the parameters for IKE phase 2 IPsec DOI negotiations. DERIVED FROM IKENegotiationAction ABSTRACT TRUE PROPERTIES UsePFS UseIKEGroup GroupId Granularity VendorID
名称IPsecAction描述IPsec传输和隧道操作的基类,指定IKE阶段2 IPsec DOI协商的参数。派生自IKENegotiationAction抽象真实属性UsePFS UseIKEGroup GROUP ID粒度供应商ID
The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as follows:
属性UsePFS指定刷新密钥时是否应使用完全前向保密。该属性的定义如下:
NAME UsePFS DESCRIPTION Specifies the whether or not to use PFS when refreshing keys. SYNTAX boolean VALUE A value of true indicates that PFS should be used. A value of false indicates that PFS should not be used.
NAME UsePFS DESCRIPTION指定刷新密钥时是否使用PFS。语法布尔值true表示应使用PFS。值false表示不应使用PFS。
The property UseIKEGroup specifies whether or not phase 2 should use the same key exchange group as was used in phase 1. UseIKEGroup is ignored if UsePFS is false. The property is defined as follows:
属性UseIKEGroup指定阶段2是否应使用与阶段1相同的密钥交换组。如果UsePFS为false,则忽略UseIKEGroup。该属性的定义如下:
NAME UseIKEGroup DESCRIPTION Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUE A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the property GroupId will contain the key exchange group to use for phase 2.
名称UseIKEGroup DESCRIPTION指定是否为第2阶段使用与第1阶段相同的GroupId。如果UsePFS为false,则忽略UseIKEGroup。语法布尔值值true表示阶段2 GroupId应与阶段1相同。值false表示属性GroupId将包含用于阶段2的密钥交换组。
The property GroupId specifies the key exchange group to use for phase 2. GroupId is ignored if (1) the property UsePFS is false, or (2) the property UsePFS is true and the property UseIKEGroup is true. If the GroupID number is from the vendor-specific range (32768- 65535), the property VendorID qualifies the group number. The property is defined as follows:
属性GroupId指定用于阶段2的密钥交换组。如果(1)属性UsePFS为false,或(2)属性UsePFS为true且属性UseIKEGroup为true,则忽略GroupId。如果组ID号来自特定于供应商的范围(32768-65535),则属性VendorID将限定组号。该属性的定义如下:
NAME GroupId DESCRIPTION Specifies the key exchange group to use for phase 2 when the property UsePFS is true and the property UseIKEGroup is false. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
NAME GroupId DESCRIPTION指定在属性UsePFS为true而属性UseIKEGroup为false时用于阶段2的密钥交换组。语法无符号16位整数值请咨询[IKE]以获取有效值。
The property Granularity specifies how the selector for the security association should be derived from the traffic that triggered the negotiation. The property is defined as follows:
属性粒度指定如何从触发协商的通信量派生安全关联的选择器。该属性的定义如下:
NAME Granularity DESCRIPTION Specifies how the proposed selector for the security association will be created. SYNTAX unsigned 16-bit integer VALUE 1 - subnet: the source and destination subnet masks of the filter entry are used. 2 - address: only the source and destination IP addresses of the triggering packet are used. 3 - protocol: the source and destination IP addresses and the IP protocol of the triggering packet are used. 4 - port: the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used.
名称粒度描述指定如何为安全关联创建建议的选择器。语法无符号16位整数值1-子网:使用筛选器项的源子网掩码和目标子网掩码。2-地址:仅使用触发数据包的源和目标IP地址。3-协议:使用源和目标IP地址以及触发数据包的IP协议。4端口:使用触发包的源和目标IP地址、IP协议以及源和目标层4端口。
The property VendorID is used together with the property GroupID (when it is in the vendor-specific range) to identify the key exchange group. VendorID is ignored unless UsePFS is true and UseIKEGroup is false and GroupID is in the vendor-specific range (32768-65535). The property is defined as follows:
属性VendorID与属性GroupID(当它在特定于供应商的范围内时)一起用于标识密钥交换组。除非UsePFS为true,UseIKEGroup为false,并且GroupID在供应商特定的范围内(32768-65535),否则将忽略VendorID。该属性的定义如下:
NAME VendorID DESCRIPTION Specifies the IKE Vendor ID. SYNTAX string
NAME VendorID DESCRIPTION指定IKE供应商ID。语法字符串
The class IPsecTransportAction is a subclass of IPsecAction that is used to specify use of an IPsec transport-mode security association. The class definition for IPsecTransportAction is as follows:
IPsecTransportAction类是IPsecAction的一个子类,用于指定IPsec传输模式安全关联的使用。IPSpectTransportAction的类定义如下:
NAME IPsecTransportAction DESCRIPTION Specifies that an IPsec transport-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE
名称IPsecTransportAction DESCRIPTION指定应协商IPsec传输模式安全关联。源自IPsecAction抽象FALSE
The class IPsecTunnelAction is a subclass of IPsecAction that is used to specify use of an IPsec tunnel-mode security association. The class definition for IPsecTunnelAction is as follows:
IPSectionAction类是IPsecAction的一个子类,用于指定IPsec隧道模式安全关联的使用。IPStructionNelaction的类定义如下:
NAME IPsecTunnelAction DESCRIPTION Specifies that an IPsec tunnel-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES DFHandling
名称IPSecturnalAction DESCRIPTION指定应协商IPsec隧道模式安全关联。源自IPsecAction抽象错误属性DFHandling
The property DFHandling specifies how the tunnel should manage the Don't Fragment (DF) bit. The property is defined as follows:
属性DFHandling指定隧道应该如何管理Don't Fragment(DF)位。该属性的定义如下:
NAME DFHandling DESCRIPTION Specifies how to process the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0.
名称DFHandling DESCRIPTION指定如何处理DF位。语法无符号16位整数值1-将DF位从内部IP头复制到外部IP头。2-将外部IP头的DF位设置为1。3-将外部IP标头的DF位清除为0。
The class IKEAction specifies the parameters that are to be used for IKE phase 1 negotiation. The class definition for IKEAction is as follows:
类IKEAction指定用于IKE阶段1协商的参数。IKEAction的类定义如下:
NAME IKEAction DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DERIVED FROM IKENegotiationAction ABSTRACT FALSE PROPERTIES ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId
名称IKEAction DESCRIPTION指定IKE阶段1协商参数。派生自IkenGotiationAction抽象错误属性ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId
The property ExchangeMode specifies which IKE mode should be used for IKE phase 1 negotiations. The property is defined as follows:
属性ExchangeMode指定IKE阶段1协商应使用哪种IKE模式。该属性的定义如下:
NAME ExchangeMode DESCRIPTION Specifies the IKE negotiation mode for phase 1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive mode
名称ExchangeMode DESCRIPTION指定阶段1的IKE协商模式。语法无符号16位整数值1-基本模式2-主模式4-主动模式
The property UseIKEIdentityType specifies what IKE identity type should be used when negotiating with the peer. This information is used in conjunction with the IKE identities available on the system and the IdentityContexts of the matching IKERule. The property is defined as follows:
属性UseIKEIdentityType指定与对等方协商时应使用的IKE标识类型。此信息与系统上可用的IKE标识以及匹配IKERule的标识上下文一起使用。该属性的定义如下:
NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
NAME UseIKEIdentityType DESCRIPTION指定协商期间要使用的IKE标识。语法无符号16位整数值请咨询[DOI]以获取有效值。
The property VendorID specifies the value to be used in the Vendor ID payload. The property is defined as follows:
属性VendorID指定要在供应商ID有效负载中使用的值。该属性的定义如下:
NAME VendorID DESCRIPTION Vendor ID Payload. SYNTAX string VALUE A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder).
名称供应商ID描述供应商ID有效负载。语法字符串值NULL表示既不会生成也不会接受供应商ID有效负载。非空值表示将生成(当作为启动器时)或预期(当作为响应者时)供应商ID有效负载。
The property AggressiveModeGroupId specifies which group ID is to be used in the first packets of the phase 1 negotiation. This property is ignored unless the property ExchangeMode is set to 4 (aggressive mode). If the AggressiveModeGroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows:
属性AggressiveModeGroupId指定在阶段1协商的第一个数据包中使用哪个组ID。除非属性ExchangeMode设置为4(主动模式),否则将忽略此属性。如果AggressiveModeGroupID号来自特定于供应商的范围(32768-65535),则属性VendorID将限定组号。该属性的定义如下:
NAME AggressiveModeGroupId DESCRIPTION Specifies the group ID to be used for aggressive mode. SYNTAX unsigned 16-bit integer
NAME AggressiveModeGroupId DESCRIPTION指定用于攻击模式的组ID。语法无符号16位整数
The class PeerGateway specifies the security gateway with which the IKE services negotiates. The class definition for PeerGateway is as follows:
类PeerGateway指定IKE服务与之协商的安全网关。PeerGateway的类定义如下:
NAME PeerGateway DESCRIPTION Specifies the security gateway with which to negotiate. DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Name PeerIdentityType PeerIdentity
名称PeerGateway DESCRIPTION指定要与之协商的安全网关。派生自LogicalElement(请参见[CIMCORE])抽象假属性名称PeerIdentityType PeerIdentity
Note: The class PeerIdentityEntry contains more information about the peer (namely its IP address).
注意:类PeerIdentityEntry包含关于对等方的更多信息(即其IP地址)。
The property Name specifies a user-friendly name for this security gateway. The property is defined as follows:
属性名称指定此安全网关的用户友好名称。该属性的定义如下:
NAME Name DESCRIPTION Specifies a user-friendly name for this security gateway. SYNTAX string
名称说明指定此安全网关的用户友好名称。语法字符串
The property PeerIdentityType specifies the IKE identity type of the security gateway. The property is defined as follows:
属性PeerIdentityType指定安全网关的IKE标识类型。该属性的定义如下:
NAME PeerIdentityType DESCRIPTION Specifies the IKE identity type of the security gateway. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
NAME PeerIdentityType DESCRIPTION指定安全网关的IKE标识类型。语法无符号16位整数值请咨询[DOI]以获取有效值。
The property PeerIdentity specifies the IKE identity value of the security gateway. Based upon the storage chosen for the task-specific mapping of the information model, a conversion may be needed from the stored representation of the PeerIdentity string to the real value used in the ID payload (e.g., IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows:
属性PeerIdentity指定安全网关的IKE标识值。基于为信息模型的任务特定映射选择的存储,可能需要从PeerIdentity字符串的存储表示转换为ID有效负载中使用的实际值(例如,IP地址将从点十进制字符串转换为4字节)。该属性的定义如下:
NAME PeerIdentity DESCRIPTION Specifies the IKE identity value of the security gateway. SYNTAX string
NAME PeerIdentity DESCRIPTION指定安全网关的IKE标识值。语法字符串
The class PeerGatewayForTunnel associates IPsecTunnelActions with an ordered list of PeerGateways. The class definition for PeerGatewayForTunnel is as follows:
类PeerGatewayForTunnel将IPStructurnalActions与PeerGateway的有序列表相关联。PeerGatewayForTunnel的类定义如下:
NAME PeerGatewayForTunnel DESCRIPTION Associates IPsecTunnelActions with an ordered list of PeerGateways. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IPsecTunnelAction[0..n]] SequenceNumber
名称PeerGatewayForTunnel DESCRIPTION将IPStructurnalActions与PeerGateway的有序列表相关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref PeerGateway[0..n]]依赖项[ref IPStructurnelAction[0..n]]SequenceNumber
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IPsecTunnelAction instance may be associated with zero or more PeerGateway instances.
属性Antecedent从依赖项继承,并被重写以引用PeerGateway实例。[0..n]基数表示一个IPStructannelAction实例可能与零个或多个PeerGateway实例相关联。
Note: The cardinality 0 has a specific meaning:
注意:基数0具有特定含义:
- when the IKE service acts as a responder, this means that the IKE service will accept phase 1 negotiation with any other security gateway;
- 当IKE服务充当响应者时,这意味着IKE服务将接受与任何其他安全网关的阶段1协商;
- when the IKE service acts as an initiator, this means that the IKE service will use the destination IP address (of the IP packets which triggered the SARule) as the IP address of the peer IKE entity.
- 当IKE服务充当启动器时,这意味着IKE服务将使用目标IP地址(触发规则的IP数据包的IP地址)作为对等IKE实体的IP地址。
The property Dependent is inherited from Dependency and is overridden to refer to an IPsecTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IPsecTunnelAction instances.
依赖属性从依赖项继承而来,并被重写以引用IPStructurnElection实例。[0..n]基数表示一个PeerGateway实例可能与零个或多个IPStructannelAction实例相关联。
The property SequenceNumber specifies the ordering to be used when evaluating PeerGateway instances for a given IPsecTunnelAction. The property is defined as follows:
属性SequenceNumber指定在为给定的IPStructannelAction计算PeerGateway实例时要使用的顺序。该属性的定义如下:
NAME SequenceNumber DESCRIPTION Specifies the order of evaluation for PeerGateways. SYNTAX unsigned 16-bit integer VALUE Lower values are evaluated first.
NAME SequenceNumber DESCRIPTION指定PeerGateways的计算顺序。首先计算语法无符号16位整数值下限值。
The class ContainedProposal associates an ordered list of SAProposals with the IKENegotiationAction that aggregates it. If the referenced IKENegotiationAction object is an IKEAction, then the referenced SAProposal object(s) must be IKEProposal(s). If the referenced IKENegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposal object(s) must be IPsecProposal(s). The class definition for ContainedProposal is as follows:
ContainedProposal类将腐生物的有序列表与聚合它的IkenGotiationAction相关联。如果引用的IkenGotiationAction对象是IKEAction,则引用的腐生物对象必须是IKEProposal。如果引用的IKENegotiationAction对象是IPSpectTransportAction或IPSecturnalAction,则引用的SAProposal对象必须是IPsecProposal。Contained建议书的类别定义如下:
NAME ContainedProposal DESCRIPTION Associates an ordered list of SAProposals with an IKENegotiationAction. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber
NAME Contained Proposal DESCRIPTION将腐生动物的有序列表与IkenGotiationAction关联。派生自PolicyComponent(请参见[PCIM])抽象假属性GroupComponent[ref-IkenGotiationAction[0..n]]PartComponent[ref-SAProposal[1..n]]SequenceNumber
- The property GroupComponent is inherited from PolicyComponent and is overridden to refer to an IKENegotiationAction instance. The [0..n] cardinality indicates that an SAProposal instance may be associated with zero or more IKENegotiationAction instances.
- 属性GroupComponent继承自PolicyComponent,并被重写以引用IkenGotiationAction实例。[0..n]基数表示腐生物实例可能与零个或多个IkenGotiationAction实例关联。
The property PartComponent is inherited from PolicyComponent and is overridden to refer to an SAProposal instance. The [1..n] cardinality indicates that an IKENegotiationAction instance MUST be associated with at least one SAProposal instance.
属性PartComponent继承自PolicyComponent,并被重写以引用SAProposal实例。[1..n]基数表示IkenGotiationAction实例必须至少与一个SAProposal实例关联。
The property SequenceNumber specifies the order of preference for the SAProposals. The property is defined as follows:
特性SequenceNumber指定腐生物的优先顺序。该属性的定义如下:
NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values. For ContainedProposals that reference the same IKENegotiationAction, SequenceNumber values must be unique.
NAME SequenceNumber DESCRIPTION指定腐生物的首选顺序。语法无符号16位整数值较低的方案优于具有较高值的方案。对于引用同一IKENegotiationAction的包含提案,SequenceNumber值必须唯一。
The class HostedPeerGatewayInformation weakly associates a PeerGateway with a System. The class definition for HostedPeerGatewayInformation is as follows:
HostedPeerGatewayInformation类将PeerGateway与系统弱关联。HostedPeerGatewayInformation的类定义如下:
NAME HostedPeerGatewayInformation DESCRIPTION Weakly associates a PeerGateway with a System. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerGateway[0..n] [weak]]
名称HostedPeerGateway信息描述将PeerGateway与系统弱关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref System[1..1]]依赖项[ref PeerGateway[0..n][weak]]
The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerGateway instance MUST be associated with one and only one System instance.
属性Antecedent从依赖项继承,并被重写以引用系统实例。[1..1]基数表示PeerGateway实例必须与一个且仅与一个系统实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerGateway instances.
依赖属性从依赖项继承,并被重写以引用PeerGateway实例。[0..n]基数表示系统实例可能与零个或多个PeerGateway实例关联。
The class TransformOfPreconfiguredAction associates a PreconfiguredSAAction with two, four or six SATransforms that will be applied to the inbound and outbound traffic. The order of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows:
TransformOfPreconfiguredAction类将预配置的SaAction与将应用于入站和出站流量的两个、四个或六个SatTransforms相关联。[IPSEC]中隐式定义了SATTransforms的应用顺序。TransformOfPreConfigureAction的类定义如下:
NAME TransformOfPreconfiguredAction DESCRIPTION Associates a PreconfiguredSAAction with from one to three SATransforms. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref SATransform[2..6]] Dependent[ref PreconfiguredSAAction[0..n]] SPI Direction
名称TransformOfPreconfiguredAction描述将预配置的SAAction与一到三个SATTransforms相关联。派生自依赖项(请参见[CIMCORE])在[ref-SatTransform[2..6]]依赖项[ref-PreconfiguredSAAction[0..n]]SPI方向之前的抽象假属性
The property Antecedent is inherited from Dependency and is overridden to refer to an SATransform instance. The [2..6] cardinality indicates that a PreconfiguredSAAction instance may be associated with two to six SATransform instances.
属性Antecedent从依赖项继承,并被重写以引用SatTransform实例。[2..6]基数表示预配置的SaAction实例可能与两到六个SatTransform实例相关联。
The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredSAAction instance. The [0..n] cardinality indicates that a SATransform instance may be associated with zero or more PreconfiguredSAAction instances.
依赖属性从依赖项继承,并被重写以引用预配置的SAAction实例。[0..n]基数表示SATransform实例可能与零个或多个预配置的SAAction实例关联。
The property SPI specifies the SPI to be used by the pre-configured action for the associated transform. The property is defined as follows:
属性SPI指定预配置操作用于关联转换的SPI。该属性的定义如下:
NAME SPI DESCRIPTION Specifies the SPI to be used with the SATransform. SYNTAX unsigned 32-bit integer
名称SPI描述指定要与SATTransform一起使用的SPI。语法无符号32位整数
The property Direction specifies whether the SPI property is for inbound or outbound traffic. The property is defined as follows:
属性方向指定SPI属性是用于入站流量还是出站流量。该属性的定义如下:
NAME Direction DESCRIPTION Specifies whether the SA is for inbound or outbound traffic. SYNTAX unsigned 8-bit integer VALUE 1 - this SA is for inbound traffic 2 - this SA is for outbound traffic
名称方向描述指定SA是用于入站流量还是出站流量。语法无符号8位整数值1-此SA用于入站流量2-此SA用于出站流量
The class PeerGatewayForPreconfiguredTunnel associates zero or one PeerGateways with multiple PreconfiguredTunnelActions. The class definition for PeerGatewayForPreconfiguredTunnel is as follows:
类PeerGatewayForPreconfiguredTunnel将零个或一个PeerGateway与多个PreconfiguredTunnel关联。PeerGatewayFor预配置隧道的类定义如下:
NAME PeerGatewayForPreconfiguredTunnel DESCRIPTION Associates a PeerGateway with multiple PreconfiguredTunnelActions. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref PeerGateway[0..1]] Dependent[ref PreconfiguredTunnelAction[0..n]]
名称PeerGatewayFor预配置的隧道描述将一个PeerGateway与多个预配置的隧道关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref-PeerGateway[0..1]]依赖项[ref-PreconfiguredTunnelAction[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..1] cardinality indicates that a PreconfiguredTunnelAction instance may be associated with one PeerGteway instance.
属性Antecedent从依赖项继承,并被重写以引用PeerGateway实例。[0..1]基数表示预配置的TuneLaction实例可能与一个PeerGteway实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more PreconfiguredSAAction instances.
依赖属性从依赖项继承,并被重写以引用预配置的Tunnelation实例。[0..n]基数表示PeerGateway实例可能与零个或多个预配置的动作实例相关联。
The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations.
建议和转换类对IPsec设备在IKE阶段1和2协商期间使用的建议设置进行建模。
+--------------+*w 1+--------------+ | [SAProposal] |--------| System | +--------------+ (a) | ([CIMCORE]) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o | |(b) |(c) n| | +---------------+*w | | [SATransform] |----+ +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+
+--------------+*w 1+--------------+ | [SAProposal] |--------| System | +--------------+ (a) | ([CIMCORE]) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o | |(b) |(c) n| | +---------------+*w | | [SATransform] |----+ +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+
(a) SAProposalInSystem (b) ContainedTransform (c) SATransformInSystem
(a) 腐植酸系统(b)包含转化(c)饱和转化系统
The abstract class SAProposal serves as the base class for the IKE and IPsec proposal classes. It specifies the parameters that are common to the two proposal types. The class definition for SAProposal is as follows:
抽象类SAProposal用作IKE和IPsec建议类的基类。它指定了两种提案类型共有的参数。腐生物的类别定义如下:
NAME SAProposal DESCRIPTION Specifies the common proposal parameters for IKE and IPsec security association negotiation. DERIVED FROM Policy ([PCIM]) ABSTRACT TRUE PROPERTIES Name
名称SAProposal DESCRIPTION指定IKE和IPsec安全关联协商的通用建议参数。派生自策略([PCIM])抽象真实属性名称
The property Name specifies a user-friendly name for the SAProposal. The property is defined as follows:
特性名称为腐生物体指定用户友好的名称。该属性的定义如下:
NAME Name DESCRIPTION Specifies a user-friendly name for this proposal. SYNTAX string
名称说明指定此方案的用户友好名称。语法字符串
The class IKEProposal specifies the proposal parameters necessary to drive an IKE security association negotiation. The class definition for IKEProposal is as follows:
类IKEProposal指定驱动IKE安全关联协商所需的建议参数。IKEProposal的类定义如下:
NAME IKEProposal DESCRIPTION Specifies the proposal parameters for IKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod MaxLifetimeSeconds MaxLifetimeKilobytes VendorID
名称IKEProposal DESCRIPTION指定IKE安全关联协商的建议参数。派生自腐生物抽象错误属性CipherGorithm HashAlgorithm PRFAlgorithm GroupId身份验证方法MaxLifetimeSeconds MaxLifetimeKilobytes VendorID
The property CipherAlgorithm specifies the proposed phase 1 security association encryption algorithm. The property is defined as follows:
属性cipheragorithm指定了建议的第一阶段安全关联加密算法。该属性的定义如下:
NAME CipherAlgorithm DESCRIPTION Specifies the proposed encryption algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
NAME Cipheragorithm DESCRIPTION指定为阶段1安全关联建议的加密算法。语法无符号16位整数值请咨询[IKE]以获取有效值。
The property HashAlgorithm specifies the proposed phase 1 security association hash algorithm. The property is defined as follows:
属性HashAlgorithm指定了建议的第1阶段安全关联hash算法。该属性的定义如下:
NAME HashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
NAME HashAlgorithm DESCRIPTION为阶段1安全关联指定建议的哈希算法。语法无符号16位整数值请咨询[IKE]以获取有效值。
The property PRFAlgorithm specifies the proposed phase 1 security association pseudo-random function. The property is defined as follows:
属性PRFAlgorithm指定建议的第一阶段安全关联伪随机函数。该属性的定义如下:
NAME PRFAlgorithm DESCRIPTION Specifies the proposed pseudo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined in [IKE], if [IKE, DOI] are extended, then the values of [IKE, DOI] are to be used for values of PRFAlgorithm.
名称PRFAlgorithm DESCRIPTION为阶段1安全关联指定建议的伪随机函数。语法无符号16位整数值当前未在[IKE]中定义,如果[IKE,DOI]被扩展,则[IKE,DOI]的值将用于PRFAlgorithm的值。
The property GroupId specifies the proposed phase 1 security association key exchange group. This property is ignored for all aggressive mode exchanges. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows:
属性GroupId指定建议的阶段1安全关联密钥交换组。对于所有主动模式交换,此属性将被忽略。如果组ID号来自特定于供应商的范围(32768-65535),则属性VendorID将限定组号。该属性的定义如下:
NAME GroupId DESCRIPTION Specifies the proposed key exchange group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
NAME GroupId DESCRIPTION为阶段1安全关联指定建议的密钥交换组。语法无符号16位整数值请咨询[IKE]以获取有效值。
Note: The value of this property is to be ignored in aggressive mode.
注意:在攻击模式下,此属性的值将被忽略。
The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows:
property AuthenticationMethod指定建议的第1阶段身份验证方法。该属性的定义如下:
NAME AuthenticationMethod DESCRIPTION Specifies the proposed authentication method for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE 0 - a special value that indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed that includes a proposal that specifies a pre-shared key and proposals for any of the public-key authentication methods. Consult [IKE] for valid values.
NAME AuthenticationMethod DESCRIPTION为阶段1安全关联指定建议的身份验证方法。SYNTAX unsigned 16位整数值0-一个特殊值,指示对于与计算机上安装的凭据相对应的每个身份验证方法,此特定建议应重复一次。例如,如果系统具有预共享密钥和证书,则可以构造建议列表,其中包括指定预共享密钥的建议和任何公钥认证方法的建议。有关有效值,请参阅[IKE]。
The property MaxLifetimeSeconds specifies the proposed maximum time, in seconds, that a security association will remain valid after its creation. The property is defined as follows:
属性MaxLifetimeSeconds指定安全关联在创建后保持有效的建议最长时间(以秒为单位)。该属性的定义如下:
NAME MaxLifetimeSeconds DESCRIPTION Specifies the proposed maximum time that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime.
NAME MaxLifetimeSeconds DESCRIPTION指定安全关联保持有效的建议最长时间。语法无符号64位整数值零表示使用默认值8小时。非零值表示最长生存时间(秒)。
Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然IKE可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
The property MaxLifetimeKilobytes specifies the proposed maximum kilobyte lifetime that a security association will remain valid after its creation. The property is defined as follows:
属性MaxLifetimeKilobytes指定安全关联在创建后将保持有效的建议最大KB生存期。该属性的定义如下:
NAME MaxLifetimeKilobytes DESCRIPTION Specifies the proposed maximum kilobyte lifetime that a security association will remain valid. SYNTAX unsigned 64-bit integer
名称MaxLifetimeKilobytes DESCRIPTION指定安全关联将保持有效的建议最大KB生存期。语法无符号64位整数
VALUE A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime.
值零表示不应有最大KB生存期。非零值指定所需的KB生存期。
Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然IKE可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
The property VendorID further qualifies the key exchange group. The property is ignored unless the exchange is not in aggressive mode and the property GroupID is in the vendor-specific range. The property is defined as follows:
属性VendorID进一步限定密钥交换组。除非exchange未处于攻击模式且属性GroupID在供应商特定的范围内,否则将忽略该属性。该属性的定义如下:
NAME VendorID DESCRIPTION Specifies the Vendor ID to further qualify the key exchange group. SYNTAX string
NAME VendorID DESCRIPTION指定进一步限定密钥交换组的供应商ID。语法字符串
The class IPsecProposal adds no new properties, but inherits proposal properties from SAProposal, as well as aggregating the security association transforms necessary for building an IPsec proposal (see the aggregation class ContainedTransform). The class definition for IPsecProposal is as follows:
IPsecProposal类不添加新属性,但从SAProposal继承提案属性,并聚合构建IPsec提案所需的安全关联转换(请参阅聚合类ContainedTransform)。IPsecProposal的类别定义如下:
NAME IPsecProposal DESCRIPTION Specifies the proposal parameters for IPsec security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE
名称IPsecProposal DESCRIPTION指定IPsec安全关联协商的建议参数。源于腐生体摘要FALSE
The abstract class SATransform serves as the base class for the IPsec transforms that can be used to compose an IPsec proposal or to be used as a pre-configured action. The class definition for SATransform is as follows:
抽象类SatTransform用作IPsec转换的基类,可用于编写IPsec方案或用作预配置的操作。SATTransform的类定义如下:
NAME SATransform DESCRIPTION Base class for the different IPsec transforms. ABSTRACT TRUE PROPERTIES CommonName (from Policy) VendorID MaxLifetimeSeconds MaxLifetimeKilobytes
不同IPsec转换的名称SATransform描述基类。抽象真实属性CommonName(来自策略)VendorID MaxLifetimeSeconds MaxLifeTimeKB
The property CommonName is inherited from Policy [PCIM] and specifies a user-friendly name for the SATransform. The property is defined as follows:
属性CommonName继承自策略[PCIM],并为SATTransform指定用户友好的名称。该属性的定义如下:
NAME CommonName DESCRIPTION Specifies a user-friendly name for this Policy-related object. SYNTAX string
名称CommonName描述指定此策略相关对象的用户友好名称。语法字符串
The property VendorID specifies the vendor ID for vendor-defined transforms. The property is defined as follows:
属性VendorID为供应商定义的转换指定供应商ID。该属性的定义如下:
NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string VALUE An empty VendorID string indicates that the transform is a standard one.
NAME VendorID DESCRIPTION为供应商定义的转换指定供应商ID。语法字符串值空VendorID字符串表示转换为标准转换。
The property MaxLifetimeSeconds specifies the proposed maximum time, in seconds, that a security association will remain valid after its creation. The property is defined as follows:
属性MaxLifetimeSeconds指定安全关联在创建后保持有效的建议最长时间(以秒为单位)。该属性的定义如下:
NAME MaxLifetimeSeconds DESCRIPTION Specifies the proposed maximum time that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime.
NAME MaxLifetimeSeconds DESCRIPTION指定安全关联保持有效的建议最长时间。语法无符号64位整数值零表示使用默认值8小时。非零值表示最长生存时间(秒)。
Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然IKE可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
The property MaxLifetimeKilobytes specifies the proposed maximum kilobyte lifetime that a security association will remain valid after its creation. The property is defined as follows:
属性MaxLifetimeKilobytes指定安全关联在创建后将保持有效的建议最大KB生存期。该属性的定义如下:
NAME MaxLifetimeKilobytes DESCRIPTION Specifies the proposed maximum kilobyte lifetime that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime.
名称MaxLifetimeKilobytes DESCRIPTION指定安全关联将保持有效的建议最大KB生存期。语法无符号64位整数值零表示不应有最大KB生存期。非零值指定所需的KB生存期。
Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.
注意:虽然IKE可以将生存期协商为任意长度的字段,但作者认为64位整数就足够了。
The class AHTransform specifies the AH algorithm to propose during IPsec security association negotiation. The class definition for AHTransform is as follows:
类AHTransform指定在IPsec安全关联协商期间提出的AH算法。AHTransform的类定义如下:
NAME AHTransform DESCRIPTION Specifies the proposed AH algorithm. ABSTRACT FALSE PROPERTIES AHTransformId UseReplayPrevention ReplayPreventionWindowSize
名称AHTransform DESCRIPTION指定建议的AH算法。抽象错误属性AHTransformId UseReplayPrevention ReplayPreventionWindowsSize
The property AHTransformId specifies the transform ID of the AH algorithm. The property is defined as follows:
属性AHTransformId指定AH算法的变换ID。该属性的定义如下:
NAME AHTransformId DESCRIPTION Specifies the transform ID of the AH algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
名称AHTransformId描述指定AH算法的转换ID。语法无符号16位整数值请咨询[DOI]以获取有效值。
The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows:
属性UseReplayPrevention指定是否使用重播预防检测。该属性的定义如下:
NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled.
NAME UseReplayPrevention DESCRIPTION指定是否启用重播预防检测。语法布尔值true-启用重播预防检测。错误-已禁用重播预防检测。
The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows:
属性ReplayPreventionWindowsSize以位为单位指定replay预防检测机制使用的滑动窗口的长度。如果UseReplayPrevention为false,则此属性的值没有意义。假设窗口大小为2的幂次方。该属性的定义如下:
NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by the replay prevention detection mechanism. SYNTAX unsigned 32-bit integer
NAME ReplayPreventionWindowsSize DESCRIPTION指定重播预防检测机制使用的窗口长度。语法无符号32位整数
The class ESPTransform specifies the ESP algorithms to propose during IPsec security association negotiation. The class definition for ESPTransform is as follows:
类ESPTransform指定在IPsec安全关联协商期间提出的ESP算法。ESPTransform的类定义如下:
NAME ESPTransform DESCRIPTION Specifies the proposed ESP algorithms. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds UseReplayPrevention ReplayPreventionWindowSize
名称ESPTransform DESCRIPTION指定了建议的ESP算法。抽象错误属性IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds用户重放预防重放预防WindowsSize
The property IntegrityTransformId specifies the transform ID of the ESP integrity algorithm. The property is defined as follows:
属性IntegrityTransformId指定ESP完整性算法的转换ID。该属性的定义如下:
NAME IntegrityTransformId DESCRIPTION Specifies the transform ID of the ESP integrity algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
名称IntegrityTransformId描述指定ESP完整性算法的转换ID。语法无符号16位整数值请咨询[DOI]以获取有效值。
The property CipherTransformId specifies the transform ID of the ESP encryption algorithm. The property is defined as follows:
属性CipherTransformId指定ESP加密算法的转换ID。该属性的定义如下:
NAME CipherTransformId DESCRIPTION Specifies the transform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
名称CipherTransformId描述指定ESP加密算法的转换ID。语法无符号16位整数值请咨询[DOI]以获取有效值。
The property CipherKeyLength specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithms that use a fixed-length keys, this value is ignored. The property is defined as follows:
属性CipherKeyLength以位为单位指定ESP加密算法的密钥长度。对于使用固定长度密钥的加密算法,将忽略此值。该属性的定义如下:
NAME CipherKeyLength DESCRIPTION Specifies the ESP encryption key length in bits. SYNTAX unsigned 16-bit integer
NAME CipherKeyLength DESCRIPTION以位为单位指定ESP加密密钥长度。语法无符号16位整数
The property CipherKeyRounds specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored. The property is defined as follows:
属性CipherKeyRounds指定ESP加密算法的密钥轮数。对于使用固定密钥轮数的加密算法,将忽略此值。该属性的定义如下:
NAME CipherKeyRounds DESCRIPTION Specifies the number of key rounds for the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Currently, key rounds are not defined for any ESP encryption algorithms.
NAME CipherKeyRounds DESCRIPTION指定ESP加密算法的密钥轮数。语法无符号16位整数值当前,未为任何ESP加密算法定义密钥轮。
The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows:
属性UseReplayPrevention指定是否使用重播预防检测。该属性的定义如下:
NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled.
NAME UseReplayPrevention DESCRIPTION指定是否启用重播预防检测。语法布尔值true-启用重播预防检测。错误-已禁用重播预防检测。
The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows:
属性ReplayPreventionWindowsSize以位为单位指定replay预防检测机制使用的滑动窗口的长度。如果UseReplayPrevention为false,则此属性的值没有意义。假设窗口大小为2的幂次方。该属性的定义如下:
NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by the replay prevention detection mechanism. SYNTAX unsigned 32-bit integer
NAME ReplayPreventionWindowsSize DESCRIPTION指定重播预防检测机制使用的窗口长度。语法无符号32位整数
The class IPCOMPTransform specifies the IP compression (IPCOMP) algorithm to propose during IPsec security association negotiation. The class definition for IPCOMPTransform is as follows:
IPCOMPTransform类指定IPsec安全关联协商期间要提出的IP压缩(IPCOMP)算法。IPCOMPTransform的类定义如下:
NAME IPCOMPTransform DESCRIPTION Specifies the proposed IPCOMP algorithm. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm
名称IPCOMPTransform DESCRIPTION指定建议的IPCOMP算法。抽象假属性算法字典化私有算法
The property Algorithm specifies the transform ID of the IPCOMP compression algorithm. The property is defined as follows:
属性算法指定IPCOMP压缩算法的变换ID。该属性的定义如下:
NAME Algorithm DESCRIPTION Specifies the transform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer VALUE 1 - OUI: a vendor specific algorithm is used and specified in the property PrivateAlgorithm. Consult [DOI] for other valid values.
名称算法描述指定IPCOMP压缩算法的转换ID。语法无符号16位整数值1-OUI:使用特定于供应商的算法,并在属性privateAlgority中指定。有关其他有效值,请参阅[DOI]。
The property DictionarySize specifies the log2 maximum size of the dictionary for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value is ignored. The property is defined as follows:
属性DictionarySize为压缩算法指定字典的log2最大大小。对于具有预定义字典大小的压缩算法,将忽略此值。该属性的定义如下:
NAME DictionarySize DESCRIPTION Specifies the log2 maximum size of the dictionary. SYNTAX unsigned 16-bit integer
NAME DictionarySize DESCRIPTION指定字典的log2最大大小。语法无符号16位整数
The property PrivateAlgorithm specifies a private vendor-specific compression algorithm. This value is only used when the property Algorithm is 1 (OUI). The property is defined as follows:
属性PrivateAlgority指定专用于供应商的压缩算法。此值仅在属性算法为1(OUI)时使用。该属性的定义如下:
NAME PrivateAlgorithm DESCRIPTION Specifies a private vendor-specific compression algorithm. SYNTAX unsigned 32-bit integer
NAME PrivateAlgorithm DESCRIPTION指定专用于供应商的压缩算法。语法无符号32位整数
The class SAProposalInSystem weakly associates SAProposals with a System. The class definition for SAProposalInSystem is as follows:
腐生体系统类将腐生体与系统弱关联。腐生菌素系统的类定义如下:
NAME SAProposalInSystem DESCRIPTION Weakly associates SAProposals with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System [1..1]] Dependent[ref SAProposal[0..n] [weak]]
名称腐生物体系统描述将腐生物体与系统弱关联。派生自PolicyInSystem(请参见[PCIM])抽象假属性先行[ref System[1..1]]依赖[ref SAProposal[0..n][weak]]
The property Antecedent is inherited from the PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SAProposal instance MUST be associated with one and only one System instance.
属性Antecedent从PolicyInSystem继承,并被重写以引用系统实例。[1..1]基数表示腐生物实例必须与一个且仅与一个系统实例关联。
The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SAProposal instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SAProposal instances.
依赖属性从PolicyInSystem继承,并被重写以引用SAProposal实例。[0..n]基数表示系统实例可能与零个或多个腐生物实例关联。
The class ContainedTransform associates an IPsecProposal with the set of SATransforms that make up the proposal. If multiple transforms of the same type are in a proposal, then they are to be logically ORed and the order of preference is dictated by the SequenceNumber property. Sets of transforms of different types are logically ANDed.
包含Transform的类将IPsecProposal与构成该提议的一组SatTransforms相关联。如果一个方案中有多个相同类型的转换,则它们将在逻辑上进行OR运算,优先顺序由SequenceNumber属性指定。对不同类型的变换集进行逻辑AND运算。
For example, if the ordered proposal list were
例如,如果已订购的建议列表
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } AH = { MD5, SHA-1 }
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one from the AH transform list (preferably MD5).
然后,发送建议书的一方希望另一方从ESP转换列表(最好是(HMAC-MD5,3DES))中选择一个,从AH转换列表(最好是MD5)中选择一个。
The class definition for ContainedTransform is as follows:
ContainedTransform的类定义如下:
NAME ContainedTransform DESCRIPTION Associates an IPsecProposal with the set of SATransforms that make up the proposal. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PartComponent[ref SATransform[1..n]] SequenceNumber
NAME Contained Transform DESCRIPTION将IPsecProposal与构成该提议的一组SATTransforms相关联。派生自PolicyComponent(请参见[PCIM])抽象假属性GroupComponent[ref IPsecProposal[0..n]]PartComponent[ref SatTransform[1..n]]SequenceNumber
The property GroupComponent is inherited from PolicyComponent and is overridden to refer to an IPsecProposal instance. The [0..n] cardinality indicates that an SATransform instance may be associated with zero or more IPsecProposal instances.
属性GroupComponent继承自PolicyComponent,并被重写以引用IPsecProposal实例。[0..n]基数表示SatTransform实例可能与零个或多个IPsecProposal实例关联。
The property PartComponent is inherited from PolicyComponent and is overridden to refer to an SATransform instance. The [1..n] cardinality indicates that an IPsecProposal instance MUST be associated with at least one SATransform instance.
属性PartComponent继承自PolicyComponent,并被重写以引用SatTransform实例。[1..n]基数表示IPsecProposal实例必须至少与一个SatTransform实例关联。
The property SequenceNumber specifies the order of preference for the SATransforms of the same type. The property is defined as follows:
属性SequenceNumber指定相同类型的SATTransforms的优先顺序。该属性的定义如下:
NAME SequenceNumber DESCRIPTION Specifies the preference order for the SATransforms of the same type. SYNTAX unsigned 16-bit integer VALUE Lower-valued transforms are preferred over transforms of the same type with higher values. For ContainedTransforms that reference the same IPsecProposal, SequenceNumber values must be unique.
NAME SequenceNumber DESCRIPTION指定相同类型的SATTransforms的首选顺序。语法无符号16位整数值低值转换优先于具有高值的相同类型的转换。对于引用相同IPsecProposal的ContainedTransforms,SequenceNumber值必须唯一。
The class SATransformInSystem weakly associates SATransforms with a System. The class definition for SATransformInSystem System is as follows:
SatTransformInSystem类将SatTransforms与系统弱关联。SATransformin系统的类别定义如下:
NAME SATransformInSystem DESCRIPTION Weakly associates SATransforms with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref SATransform[0..n] [weak]]
名称SATTransformsSystem描述将SATTransforms与系统弱关联。派生自PolicyInSystem(请参见[PCIM])在[ref System[1..1]]依赖[ref SatTransform[0..n][weak]]之前抽象假属性
The property Antecedent is inherited from PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SATransform instance MUST be associated with one and only one System instance.
属性Antecedent从PolicyInSystem继承,并被重写以引用系统实例。[1..1]基数表示SatTransform实例必须与一个且仅与一个系统实例关联。
The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SATransform instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SATransform instances.
依赖属性从PolicyInSystem继承,并被重写以引用SatTransform实例。[0..n]基数表示系统实例可能与零个或多个SatTransform实例关联。
+--------------+ +-------------------+ | System | | PeerIdentityEntry | | ([CIMCORE]) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | | ([CIMNETWORK]) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | | ([CIMUSER]) | +--------------+
+--------------+ +-------------------+ | System | | PeerIdentityEntry | | ([CIMCORE]) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | | ([CIMNETWORK]) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | | ([CIMUSER]) | +--------------+
(a) HostedPeerIdentityTable (b) PeerIdentityMember (c) IKEServicePeerGateway (d) IKEServicePeerIdentityTable (e) IKEAutostartSetting (f) AutostartIKESettingContext (g) IKEServiceForEndpoint (h) IKEAutostartConfiguration (i) IKEUsesCredentialManagementService (j) EndpointHasLocalIKEIdentity
(a) HostedPeedintentityTable(b)PeedintentityMember(c)IKEServicePeerGateway(d)IKEServicePeedintentityTable(e)IKEAUTOSTARTSETING(f)AutostartIKESettingContext(g)IKEServiceForEndpoint(h)IKEAutostartConfiguration(i)IKEUSERSECredentialManagementService(j)EndpointHasLocalIKEIdentity
(k) CollectionHasLocalIKEIdentity (l) IKEIdentitysCredential
(k) 集合具有本地身份(l)IKEIdentitysCredential
This portion of the model contains additional information that is useful in applying the policy. The IKEService class MAY be used to represent the IKE negotiation function in a system. The IKEService uses the various tables that contain information about IKE peers as well as the configuration for specifying security associations that are started automatically. The information in the PeerGateway, PeerIdentityTable and related classes is necessary to completely specify the policies.
模型的这一部分包含在应用策略时有用的附加信息。IKEService类可用于表示系统中的IKE协商功能。IKEService使用各种表,其中包含有关IKE对等点的信息以及用于指定自动启动的安全关联的配置。PeerGateway、PeerIdentityTable和相关类中的信息是完全指定策略所必需的。
An interface (represented by an IPProtocolEndpoint) has an IKEService that provides the negotiation services for that interface. That service MAY also have a list of security associations automatically started at the time the IKE service is initialized.
接口(由IPProtocolEndpoint表示)具有为该接口提供协商服务的IKEService。该服务还可以具有在初始化IKE服务时自动启动的安全关联列表。
The IKEService also has a set of identities that it may use in negotiations with its peers. Those identities are associated with the interfaces (or collections of interfaces).
IKEService还具有一组身份,可用于与对等方的协商。这些标识与接口(或接口集合)相关联。
The class IKEService represents the IKE negotiation function. An instance of this service may provide that negotiation service for one or more interfaces (represented by the IPProtocolEndpoint class) of a System. There may be multiple instances of IKE services on a System but only one per interface. The class definition for IKEService is as follows:
IKEService类表示IKE协商函数。此服务的实例可为系统的一个或多个接口(由IPProtocolendant类表示)提供该协商服务。一个系统上可能有多个IKE服务实例,但每个接口只有一个实例。IKEService的类定义如下:
NAME IKEService DESCRIPTION IKEService is used to represent the IKE negotiation function. DERIVED FROM Service (see [CIMCORE]) ABSTRACT FALSE
名称IKEService描述IKEService用于表示IKE协商功能。派生自服务(参见[CIMCORE])抽象错误
The class PeerIdentityTable aggregates the table entries that provide mappings between identities and their addresses. The class definition for PeerIdentityTable is as follows:
类PeerIdentityTable聚合提供标识与其地址之间映射的表项。PeerIdentityTable的类定义如下:
NAME PeerIdentityTable DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances to provide a table of identity-address mappings. DERIVED FROM Collection (see [CIMCORE])
名称PeerIdentityTable描述PeerIdentityTable聚合PeerIdentityEntry实例以提供标识地址映射表。从集合派生(请参见[CIMCORE])
ABSTRACT FALSE PROPERTIES Name
抽象假属性名称
The property Name uniquely identifies the table. The property is defined as follows:
属性名称唯一标识表。该属性的定义如下:
NAME Name DESCRIPTION Name uniquely identifies the table. SYNTAX string
名称描述名称唯一标识表。语法字符串
The class PeerIdentityEntry specifies the mapping between peer identity and their IP address. The class definition for PeerIdentityEntry is as follows:
类PeerIdentityEntry指定对等身份与其IP地址之间的映射。PeerIdentityEntry的类定义如下:
NAME PeerIdentityEntry DESCRIPTION PeerIdentityEntry provides a mapping between a peer's identity and address. DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES PeerIdentity PeerIdentityType PeerAddress PeerAddressType
名称PeerIdentityEntry描述PeerIdentityEntry提供对等方的标识和地址之间的映射。派生自LogicalElement(请参见[CIMCORE])抽象假属性PeerIdentity PeerIdentityType PeeradAddress PeerAddressType
The pre-shared key to be used with this peer (if applicable) is contained in an instance of the class SharedSecret (see [CIMUSER]). The pre-shared key is stored in the property Secret, the property protocol contains "IKE", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID must match the PeerIdentity property of the PeerIdentityEntry instance describing the IKE peer.
与该对等机一起使用的预共享密钥(如果适用)包含在SharedSecret类的实例中(请参见[CIMUSER])。预共享密钥存储在属性机密中,属性协议包含“IKE”,属性算法包含用于保护机密的算法(如果IPsec实体没有机密存储,则可以是“明文”),属性RemoteID的值必须与描述IKE对等方的PeerIdentityEntry实例的PeerIdentity属性匹配。
The property PeerIdentity contains a string encoding of the Identity payload for the IKE peer. The property is defined as follows:
属性PeerIdentity包含IKE对等方的标识有效负载的字符串编码。该属性的定义如下:
NAME PeerIdentity DESCRIPTION The PeerIdentity is the ID payload of a peer. SYNTAX string
名称PeerIdentity描述PeerIdentity是对等方的ID负载。语法字符串
The property PeerIdentityType is an enumeration that specifies the type of the PeerIdentity. The property is defined as follows:
属性PeerIdentityType是指定PeerIdentity类型的枚举。该属性的定义如下:
NAME PeerIdentityType DESCRIPTION PeerIdentityType is the type of the ID payload of a peer. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1.
名称PeerIdentityType描述PeerIdentityType是对等方的ID有效负载的类型。语法无符号16位整数值[DOI]第4.6.2.1节规定了枚举值。
The property PeerAddress specifies the string representation of the IP address of the peer formatted according to the appropriate convention as defined in the PeerAddressType property (e.g., dotted decimal notation). The property is defined as follows:
属性PeeradAddress指定根据PeerAddressType属性中定义的适当约定格式化的对等方IP地址的字符串表示形式(例如,点十进制表示法)。该属性的定义如下:
NAME PeerAddress DESCRIPTION PeerAddress is the address of the peer with the ID payload. SYNTAX string VALUE String representation of an IPv4 or IPv6 address.
NAME PeerAddress DESCRIPTION PeerAddress是具有ID有效负载的对等方的地址。IPv4或IPv6地址的语法字符串值字符串表示形式。
The property PeerAddressType specifies the format of the PeerAddress property value. The property is defined as follows:
属性PeerAddressType指定PeeradAddress属性值的格式。该属性的定义如下:
NAME PeerAddressType DESCRIPTION PeerAddressType is the type of address in PeerAddress. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6
名称PeerAddressType描述PeerAddressType是PeeradAddress中的地址类型。语法无符号16位整数值0-未知1-IPv4 2-IPv6
The class AutostartIKEConfiguration groups AutostartIKESetting instances into configuration sets. When applied, the settings cause an IKE service to automatically start (negotiate or statically set as appropriate) the Security Associations. The class definition for AutostartIKEConfiguration is as follows:
AutostartIKEConfiguration类将AutostartIKESetting实例分组到配置集中。应用时,这些设置会导致IKE服务自动启动(协商或根据需要静态设置)安全关联。AutostartIKEConfiguration的类定义如下:
NAME AutostartIKEConfiguration DESCRIPTION A configuration set of AutostartIKESetting instances to be automatically started by the IKE service. DERIVED FROM SystemConfiguration (see [CIMCORE]) ABSTRACT FALSE
名称AutostartIKEConfiguration描述由IKE服务自动启动的AutostartIKESetting实例的配置集。源于SystemConfiguration(参见[CIMCORE])摘要FALSE
The class AutostartIKESetting is used to automatically initiate IKE negotiations with peers (or statically create an SA) as specified in the AutostartIKESetting properties. Appropriate actions are initiated according to the policy that matches the setting parameters. The class definition for AutostartIKESetting is as follows:
类AutostartIKESetting用于根据AutostartIKESetting属性中的指定自动启动与对等方的IKE协商(或静态创建SA)。根据与设置参数匹配的策略启动适当的操作。AutostartIKESetting的类定义如下:
NAME AutostartIKESetting DESCRIPTION AutostartIKESetting is used to automatically initiate IKE negotiations with peers or statically create an SA. DERIVED FROM SystemSetting (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Phase1Only AddressType SourceAddress SourcePort DestinationAddress DestinationPort Protocol
名称AutostartIKESetting描述AutostartIKESetting用于自动启动与对等方的IKE协商或静态创建SA。派生自SystemSetting(请参见[CIMCORE])抽象假属性Phase1Only AddressType SourceAddress SourcePort DestinationAddress DestinationPort协议
The property Phase1Only is used to limit the IKE negotiation to a phase 1 SA establishment only. When set to False, both phase 1 and phase 2 SAs are negotiated. The property is defined as follows:
属性Phase1Only用于将IKE协商仅限于阶段1 SA建立。当设置为False时,将协商阶段1和阶段2 SA。该属性的定义如下:
NAME Phase1Only DESCRIPTION Used to indicate whether a phase 1 only or both phase 1 and phase 2 security associations should attempt establishment. SYNTAX boolean VALUE true - attempt to establish a phase 1 security association false - attempt to establish phase 1 and phase 2 security associations
名称Phase1Only描述,用于指示是否应尝试建立仅阶段1安全关联或阶段1和阶段2安全关联。语法布尔值true-尝试建立阶段1安全关联false-尝试建立阶段1和阶段2安全关联
The property AddressType specifies a type of the addresses in the SourceAddress and DestinationAddress properties. The property is defined as follows:
属性AddressType指定SourceAddress和DestinationAddress属性中的地址类型。该属性的定义如下:
NAME AddressType DESCRIPTION AddressType is the type of address in SourceAddress and DestinationAddress properties. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6
NAME AddressType DESCRIPTION AddressType是SourceAddress和DestinationAddress属性中的地址类型。语法无符号16位整数值0-未知1-IPv4 2-IPv6
The property SourceAddress specifies the dotted-decimal or colon-decimal formatted IP address used as the source address in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows:
属性SourceAddress指定点十进制或冒号十进制格式的IP地址,该IP地址用作与策略筛选器项进行比较的源地址,并用于任何阶段2协商。该属性的定义如下:
NAME SourceAddress DESCRIPTION The source address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address
名称SourceAddress描述要与筛选器进行比较以确定适当策略规则的源地址。语法字符串值点十进制或冒号十进制格式的IP地址
The property SourcePort specifies the port number used as the source port in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows:
属性SourcePort指定在比较策略筛选器项时用作源端口的端口号,并在任何阶段2协商中使用。该属性的定义如下:
NAME SourcePort DESCRIPTION The source port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer
名称SourcePort描述要与筛选器进行比较以确定适当策略规则的源端口。语法无符号16位整数
The property DestinationAddress specifies the dotted-decimal or colon-decimal formatted IP address used as the destination address in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows:
属性DestinationAddress指定点十进制或冒号十进制格式的IP地址,用作比较策略筛选器项时的目标地址,并用于任何阶段2协商。该属性的定义如下:
NAME DestinationAddress DESCRIPTION The destination address to compare with the filters to determine the appropriate policy rule.
NAME DestinationAddress DESCRIPTION要与筛选器进行比较以确定适当策略规则的目标地址。
SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address
语法字符串值点十进制或冒号十进制格式的IP地址
The property DestinationPort specifies the port number used as the destination port in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows:
属性DestinationPort指定在比较策略筛选器条目时用作目标端口的端口号,并在任何阶段2协商中使用。该属性的定义如下:
NAME DestinationPort DESCRIPTION The destination port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer
名称DestinationPort描述要与筛选器进行比较以确定适当策略规则的目标端口。语法无符号16位整数
The property Protocol specifies the protocol number used in comparing with policy filter entries and is used in any phase 2 negotiations. The property is defined as follows:
属性协议指定用于与策略筛选器项进行比较的协议编号,并用于任何阶段2协商。该属性的定义如下:
NAME Protocol DESCRIPTION The protocol number used in comparing policy filter entries. SYNTAX unsigned 8-bit integer
名称协议描述用于比较策略筛选器项的协议编号。语法无符号8位整数
The class IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. The policy IKEAction.UseIKEIdentityType specifies which type of the available identities to use in a negotiation exchange and the IKERule.IdentityContexts specifies the match values to be used, along with the local address, in selecting the appropriate identity for a negotiation. The ElementID property value (defined in the parent class, UsersAccess) should be that of either the IPProtocolEndpoint or Collection of endpoints as appropriate. The class definition for IKEIdentity is as follows:
IKEIdentity类用于表示可用于IPProtocolEndpoint(或IPProtocolEndpoint集合)的标识,以标识IKE阶段1协商中的IKE服务。策略IKEAction.UseIKEIdentityType指定在协商交换中使用哪种类型的可用标识,IKERule.IdentityContext指定在为协商选择适当标识时使用的匹配值以及本地地址。ElementID属性值(在父类UsersAccess中定义)应为IPProtocolendant或端点集合的属性值(视情况而定)。IKEIdentity的类定义如下:
NAME IKEIdentity DESCRIPTION IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. DERIVED FROM UsersAccess (see [CIMUSER]) ABSTRACT FALSE
名称IKEIdentity描述IKEIdentity用于表示可用于IPProtocolEndpoint(或IPProtocolEndpoint集合)的标识,以在IKE第1阶段协商中标识IKE服务。派生自UsersAccess(请参见[CIMUSER])摘要FALSE
PROPERTIES IdentityType IdentityValue IdentityContexts
属性标识类型标识值标识上下文
The property IdentityType is an enumeration that specifies the type of the IdentityValue. The property is defined as follows:
属性IdentityType是指定IdentityValue类型的枚举。该属性的定义如下:
NAME IdentityType DESCRIPTION IdentityType is the type of the IdentityValue. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1.
NAME IdentityType DESCRIPTION IdentityType是IdentityValue的类型。语法无符号16位整数值[DOI]第4.6.2.1节规定了枚举值。
The property IdentityValue contains a string encoding of the Identity payload. For IKEIdentity instances that are address types (i.e., IPv4 or IPv6 addresses), the IdentityValue string value MAY be omitted; then the associated IPProtocolEndpoint (or appropriate member of the Collection of endpoints) is used as the identity value. The property is defined as follows:
属性IdentityValue包含标识有效负载的字符串编码。对于地址类型(即IPv4或IPv6地址)的IKEIdentity实例,可以省略IdentityValue字符串值;然后将关联的IPProtoClondPoint(或端点集合的适当成员)用作标识值。该属性的定义如下:
NAME IdentityValue DESCRIPTION IdentityValue contains a string encoding of the Identity payload. SYNTAX string
NAME IdentityValue DESCRIPTION IdentityValue包含标识有效负载的字符串编码。语法字符串
The IdentityContexts property is used to constrain the use of IKEIdentity instances to match that specified in the IKERule.IdentityContexts. The IdentityContexts are formatted as policy roles and role combinations [PCIM] & [PCIME]. Each value represents one context or context combination. Since this is a multi-valued property, more than one context or combination of contexts can be associated with a single IKEIdentity. Each value is a string of the form:
IdentityContext属性用于约束IKEIdentity实例的使用,以匹配IKERule.IdentityContext中指定的实例。IdentityContext的格式为策略角色和角色组合[PCIM]&[PCIME]。每个值表示一个上下文或上下文组合。由于这是一个多值属性,因此可以将多个上下文或上下文组合与单个IKEIdentity关联。每个值都是以下形式的字符串:
<ContextName>[&&<ContextName>]*
<ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). If one or more values in the IKERule.IdentityContexts array match one or more IKEIdentity.IdentityContexts, then the identity's context matches. (That is, each value of the IdentityContext array is an ORed condition.) In combination with the address of the
其中各个上下文名称按字母顺序显示(根据UCS-2的排序顺序)。如果IKERule.identityContext数组中的一个或多个值与一个或多个IKEIdentity.identityContext匹配,则标识的上下文匹配。(也就是说,IdentityContext数组的每个值都是一个OR条件。)与
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be exactly one IKEIdentity. The property is defined as follows:
IPProtocolEndpoint和IKEATION.USEIKEIDENTITYTYTYPE,应该只有一个IKEIdentity。该属性的定义如下:
NAME IdentityContexts DESCRIPTION The IKE service of a security endpoint may have multiple identities for use in different situations. The combination of the interface (represented by the IPProtocolEndpoint), the identity type (as specified in the IKEAction) and the IdentityContexts selects a unique identity. SYNTAX string array VALUE string of the form <ContextName>[&&<ContextName>]*
名称标识上下文描述安全端点的IKE服务可能具有多个标识,以在不同情况下使用。接口(由IPProtocolEndpoint表示)、标识类型(如IKEAction中所指定)和IdentityContext的组合选择唯一标识。语法字符串数组值字符串的形式为<ContextName>[&&&<ContextName>]*
The class HostedPeerIdentityTable provides the name scoping relationship for PeerIdentityTable entries in a System. The PeerIdentityTable is weak to the System. The class definition for HostedPeerIdentityTable is as follows:
HostedPeiridEntityTable类为系统中的PeerIdentityTable项提供名称作用域关系。PeerIdentityTable对系统来说很弱。HostedPeriodDentityTable的类定义如下:
NAME HostedPeerIdentityTable DESCRIPTION The PeerIdentityTable instances are weak (name scoped by) the owning System. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerIdentityTable[0..n] [weak]]
名称HostedPeiridEntityTable说明PeerIdentityTable实例在所属系统中较弱(名称的作用域由所属系统决定)。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref System[1..1]]依赖项[ref PeerIdentityTable[0..n][weak]]
The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerIdentityTable instance MUST be associated in a weak relationship with one and only one System instance.
属性Antecedent从依赖项继承,并被重写以引用系统实例。[1..1]基数表示PeerIdentityTable实例必须以弱关系与一个且仅一个系统实例相关联。
The property Dependent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerIdentityTable instances.
依赖属性从依赖项继承,并被重写以引用PeerIdentityTable实例。[0..n]基数表示系统实例可能与零个或多个PeerIdentityTable实例关联。
The class PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. This is a weak aggregation. The class definition for PeerIdentityMember is as follows:
类PeerIdentityMember将PeerIdentityEntry实例聚合到PeerIdentityTable中。这是一个弱聚合。PeerIdentityMember的类定义如下:
NAME PeerIdentityMember DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. DERIVED FROM MemberOfCollection (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Collection [ref PeerIdentityTable[1..1]] Member [ref PeerIdentityEntry [0..n] [weak]]
名称PeerIdentityMember描述PeerIdentityMember将PeerIdentityEntry实例聚合到PeerIdentityTable中。派生自MemberOfCollection(请参见[CIMCORE])抽象假属性集合[ref PeerIdentityTable[1..1]]成员[ref PeerIdentityEntry[0..n][weak]]
The property Collection is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityTable instance. The [1..1] cardinality indicates that a PeerIdentityEntry instance MUST be associated with one and only one PeerIdentityTable instance (i.e., PeerIdentityEntry instances are not shared across PeerIdentityTables).
属性集合从MemberOfCollection继承,并被重写以引用PeerIdentityTable实例。[1..1]基数表示PeerIdentityEntry实例必须与一个且仅与一个PeerIdentityTable实例关联(即,PeerIdentityEntry实例不在PeerIdentityTables之间共享)。
The property Member is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityEntry instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more PeerIdentityEntry instances.
属性成员从MemberOfCollection继承,并被重写以引用PeerIdentityEntry实例。[0..n]基数表示PeerIdentityTable实例可能与零个或多个PeerIdentityEntry实例关联。
The class IKEServicePeerGateway provides the association between an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. The class definition for IKEServicePeerGateway is as follows:
类IKEServicePeerGateway提供IKEService和它在与安全网关协商时使用的PeerGateway实例列表之间的关联。IKEServicePeerGateway的类定义如下:
NAME IKEServicePeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IKEService[0..n]]
名称IKEServicePeerGateway DESCRIPTION将IKEService与其用于与安全网关协商的PeerGateway实例列表相关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref PeerGateway[0..n]]依赖项[ref IKEService[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerGateway instances.
属性Antecedent从依赖项继承,并被重写以引用PeerGateway实例。[0..n]基数表示IKEService实例可能与零个或多个PeerGateway实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IKEService instances.
依赖属性从依赖项继承,并被重写以引用IKEService实例。[0..n]基数表示PeerGateway实例可能与零个或多个IKEService实例关联。
The class IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses to map between addresses and identities as required. The class definition for IKEServicePeerIdentityTable is as follows:
类IKEServicePeerIdentityTable提供IKEService和PeerIdentityTable之间的关系,它根据需要用于在地址和标识之间映射。IKEServicePeerIdentityTable的类定义如下:
NAME IKEServicePeerIdentityTable DESCRIPTION IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] Dependent [ref IKEService[0..n]]
名称IKEServicePeerIdentityTable说明IKEServicePeerIdentityTable提供IKEService与其使用的PeerIdentityTable之间的关系。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref PeerIdentityTable[0..n]]依赖项[ref IKEService[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerIdentityTable instances.
属性Antecedent从依赖项继承,并被重写以引用PeerIdentityTable实例。[0..n]基数表示一个IKEService实例可能与零个或多个PeerIdentityTable实例相关联。
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more IKEService instances.
依赖属性从依赖项继承,并被重写以引用IKEService实例。[0..n]基数表示PeerIdentityTable实例可能与零个或多个IKEService实例关联。
The class IKEAutostartSetting associates an AutostartIKESetting with an IKEService that may use it to automatically start an IKE negotiation or create a static SA. The class definition for IKEAutostartSetting is as follows:
类IKEAutostartSetting将自动启动IKESETTING与IKEService相关联,后者可使用该类自动启动IKE协商或创建静态SA。IKEAutostartSetting的类定义如下:
NAME IKEAutostartSetting DESCRIPTION Associates a AutostartIKESetting with an IKEService. DERIVED FROM ElementSetting (see [CIMCORE]) ABSTRACT FALSE
名称IKEAutostartSetting描述将自动启动设置与IKEService关联。派生自ElementSetting(参见[CIMCORE])抽象FALSE
PROPERTIES Element [ref IKEService[0..n]] Setting [ref AutostartIKESetting[0..n]]
属性元素[ref-IKEService[0..n]]设置[ref-AutoStart-IKESetting[0..n]]
The property Element is inherited from ElementSetting and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates an AutostartIKESetting instance may be associated with zero or more IKEService instances.
property元素继承自ElementSetting,并被重写以引用IKEService实例。[0..n]基数表示AutostartIKESetting实例可能与零个或多个IKEService实例关联。
The property Setting is inherited from ElementSetting and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKESetting instances.
属性设置继承自ElementSetting,并被重写以引用AutostartIKESetting实例。[0..n]基数表示一个IKEService实例可能与零个或多个AutoStart IkeSetting实例关联。
The class AutostartIKESettingContext aggregates the settings used to automatically start negotiations or create a static SA into a configuration set. The class definition for AutostartIKESettingContext is as follows:
AutostartIKESettingContext类将用于自动启动协商或创建静态SA的设置聚合到配置集中。AutostartIKESettingContext的类定义如下:
NAME AutostartIKESettingContext DESCRIPTION AutostartIKESettingContext aggregates the AutostartIKESetting instances into a configuration set. DERIVED FROM SystemSettingContext (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] Setting [ref AutostartIKESetting [0..n]] SequenceNumber
名称AutostartIKESetting上下文描述AutostartIKESetting上下文将AutostartIKESetting实例聚合到配置集中。派生自SystemSettingContext(请参见[CIMCORE])抽象假属性上下文[ref AutostartIKEConfiguration[0..n]]设置[ref AutostartIKESetting[0..n]]SequenceNumber
The property Context is inherited from SystemSettingContext and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an AutostartIKESetting instance may be associated with zero or more AutostartIKEConfiguration instances (i.e., a setting may be in multiple configuration sets).
属性上下文从SystemSettingContext继承,并被重写以引用AutostartIKEConfiguration实例。[0..n]基数表示AutostartIKESetting实例可能与零个或多个AutostartIKEConfiguration实例关联(即,一个设置可能在多个配置集中)。
The property Setting is inherited from SystemSettingContext and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more AutostartIKESetting instances.
属性设置从SystemSettingContext继承,并被重写以引用AutostartIKESetting实例。[0..n]基数表示AutostartIKEConfiguration实例可能与零个或多个AutostartIKESetting实例关联。
The property SequenceNumber specifies the ordering to be used when starting negotiations or creating a static SA. A zero value indicates that order is not significant and settings may be applied in parallel with other settings. All other settings in the configuration are executed in sequence from lower to higher values. Sequence numbers need not be unique in an AutostartIKEConfiguration and order is not significant for settings with the same sequence number. The property is defined as follows:
属性SequenceNumber指定开始协商或创建静态SA时要使用的顺序。零值表示顺序不重要,可以与其他设置并行应用设置。配置中的所有其他设置按从低到高的顺序执行。序列号在AutoStart-IkeConfiguration中不必是唯一的,并且对于具有相同序列号的设置,顺序并不重要。该属性的定义如下:
NAME SequenceNumber DESCRIPTION The sequence in which the settings are applied within a configuration set. SYNTAX unsigned 16-bit integer
名称序列号说明在配置集中应用设置的顺序。语法无符号16位整数
The class IKEServiceForEndpoint provides the association showing which IKE service, if any, provides IKE negotiation services for which network interfaces. The class definition for IKEServiceForEndpoint is as follows:
IKEServiceForEndpoint类提供了一个关联,显示了哪个IKE服务(如果有的话)为哪个网络接口提供IKE协商服务。IKEServiceForEndpoint的类定义如下:
NAME IKEServiceForEndpoint DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that provides negotiation services for the endpoint. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref IKEService[0..1]] Dependent [ref IPProtocolEndpoint[0..n]]
名称IKEServiceForEndpoint DESCRIPTION将IPPROTOCLENDPOINT与为端点提供协商服务的IKEService相关联。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref-IKEService[0..1]]依赖项[ref-IPProtocolEndpoint[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance MUST by associated with at most one IKEService instance.
属性Antecedent从依赖项继承,并被重写以引用IKEService实例。[0..1]基数表示IPProtocolEndpoint实例必须与最多一个IKEService实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint that is associated with at most one IKEService. The [0..n] cardinality indicates an IKEService instance may be associated with zero or more IPProtocolEndpoint instances.
属性Dependent从Dependency继承,并被重写以引用最多与一个IKEService关联的IPProtoColendant点。[0..n]基数表示IKEService实例可能与零个或多个IPProtocolendant实例关联。
The class IKEAutostartConfiguration provides the relationship between an IKEService and a configuration set that it uses to automatically start a set of SAs. The class definition for IKEAutostartConfiguration is as follows:
IKEAutostartConfiguration类提供了IKEService与用于自动启动一组SA的配置集之间的关系。IKEAutostartConfiguration的类定义如下:
NAME IKEAutostartConfiguration DESCRIPTION IKEAutostartConfiguration provides the relationship between an IKEService and an AutostartIKEConfiguration that it uses to automatically start a set of SAs. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] Dependent [ref IKEService [0..n]] Active
名称IKEAutostartConfiguration说明IKEAutostartConfiguration提供了IKEService和AutostartIKEConfiguration之间的关系,后者用于自动启动一组SAs。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref AutoStart IkeConfiguration[0..n]]依赖项[ref IKEService[0..n]]活动
The property Antecedent is inherited from Dependency and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKEConfiguration instances.
属性Antecedent从依赖项继承,并被重写以引用AutostartIKEConfiguration实例。[0..n]基数表示一个IKEService实例可能与零个或多个AutoStart IkeConfiguration实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more IKEService instances.
依赖属性从依赖项继承,并被重写以引用IKEService实例。[0..n]基数表示AutostartIKEConfiguration实例可能与零个或多个IKEService实例关联。
The property Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. That is, at boot time, the active configuration is used to automatically start IKE negotiations and create static SAs. The property is defined as follows:
属性Active表示关联的IKEService的AutoStart IKEConfiguration集当前是否处于活动状态。也就是说,在引导时,活动配置用于自动启动IKE协商并创建静态SA。该属性的定义如下:
NAME Active DESCRIPTION Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. SYNTAX boolean
NAME Active DESCRIPTION Active表示关联的IKEService的AutoStart IKEConfiguration集当前是否处于活动状态。语法布尔
VALUE true - AutostartIKEConfiguration is currently active for associated IKEService. false - AutostartIKEConfiguration is currently inactive for associated IKEService.
值true-关联的IKEService的AutostartIKEConfiguration当前处于活动状态。false-关联的IKEService的AutoStart IkeConfiguration当前处于非活动状态。
The class IKEUsesCredentialManagementService defines the set of CredentialManagementService(s) that are trusted sources of credentials for IKE phase 1 negotiations. The class definition for IKEUsesCredentialManagementService is as follows:
IKEUserCredentialManagementService类定义了一组CredentialManagementService,这些服务是IKE阶段1协商的可信凭据源。IkeUserCredentialManagementService的类定义如下:
NAME IKEUsesCredentialManagementService DESCRIPTION Associates the set of CredentialManagementService(s) that are trusted by the IKEService as sources of credentials used in IKE phase 1 negotiations. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService [0..n]] Dependent [ref IKEService [0..n]]
名称IKEUsesCredentialManagementService描述将IKEService信任的一组CredentialManagementService关联为IKE阶段1协商中使用的凭据源。派生自依赖项(请参见[CIMCORE])抽象假属性先行项[ref-CredentialManagementService[0..n]]依赖项[ref-IKEService[0..n]]
The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more CredentialManagementService instances.
属性Antecedent从依赖项继承,并被重写以引用CredentialManagementService实例。[0..n]基数表示IKEService实例可能与零个或多个CredentialManagementService实例关联。
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more IKEService instances.
依赖属性从依赖项继承,并被重写以引用IKEService实例。[0..n]基数表示CredentialManagementService实例可能与零个或多个IKEService实例关联。
The class EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances that may be used in negotiating security associations on the endpoint. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using this association or with a collection of IKEIdentity instances using the CollectionHasLocalIKEIdentity association. The class definition for EndpointHasLocalIKEIdentity is as follows:
EndpointHasLocalizeIdentity类将IPProtocolEndpoint与一组IKEIdentity实例相关联,这些实例可用于协商端点上的安全关联。IKEIdentity必须使用此关联与IPProtocLendPoint关联,或者使用CollectionHasLocalizeIdentity关联与IKEIdentity实例集合关联。EndpointHasLocalIKEIdentity的类定义如下:
NAME EndpointHasLocalIKEIdentity DESCRIPTION EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see [CIMUSER]) ABSTRACT FALSE PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] Dependent [ref IKEIdentity [0..n]]
名称EndpointHasLocalIKEIdentity描述EndpointHasLocalIKEIdentity将IPProtocolEndpoint与一组IKEIdentity实例相关联。派生自ElementAsUser(请参见[CIMUSER])抽象假属性先行项[ref IPProtocolEndpoint[0..1]]依赖[ref IKEIdentity[0..n]]
The property Antecedent is inherited from ElementAsUser and is overridden to refer to an IPProtocolEndpoint instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one IPProtocolEndpoint instance.
属性Antecedent从ElementAsUser继承,并被重写以引用IPProtocLendPoint实例。[0..1]基数表示IKEIdentity实例必须最多与一个IPProtocolendant实例关联。
The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that an IPProtocolEndpoint instance may be associated with zero or more IKEIdentity instances.
依赖属性从ElementAsUser继承,并被重写以引用IKEIdentity实例。[0..n]基数表示一个IPProtocLendPoint实例可能与零个或多个IKEIdentity实例关联。
The class CollectionHasLocalIKEIdentity associates a Collection of IPProtocolEndpoint instances with a set of IKEIdentity instances that may be used in negotiating SAs for endpoints in the collection. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using the EndpointHasLocalIKEIdentity association or with a collection of IKEIdentity instances using this association. The class definition for CollectionHasLocalIKEIdentity is as follows:
类CollectionHasLocalizeIdentity将IPProtocLendPoint实例的集合与一组IKEIdentity实例相关联,这些实例可用于协商集合中端点的SA。IKEIdentity必须使用EndpointHasLocalizeIdentity关联与IPProtocolEndpoint关联,或者使用此关联与IKEIdentity实例集合关联。CollectionHasLocalizeIdentity的类定义如下:
NAME CollectionHasLocalIKEIdentity DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of IPProtocolEndpoint instances with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see [CIMUSER]) ABSTRACT FALSE PROPERTIES Antecedent [ref Collection [0..1]] Dependent [ref IKEIdentity [0..n]]
NAME CollectionHasLocalizeIdentity描述CollectionHasLocalizeIdentity将IPProtocolEndpoint实例的集合与一组IKEIdentity实例相关联。派生自ElementAsUser(请参见[CIMUSER])抽象假属性先行[ref集合[0..1]]依赖[ref IKEIdentity[0..n]]
The property Antecedent is inherited from ElementAsUser and is overridden to refer to a Collection instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one Collection instance.
属性Antecedent从ElementAsUser继承,并被重写以引用集合实例。[0..1]基数表示IKEIdentity实例最多必须与一个集合实例关联。
The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Collection instance may be associated with zero or more IKEIdentity instances.
依赖属性从ElementAsUser继承,并被重写以引用IKEIdentity实例。[0..n]基数表示集合实例可能与零个或多个IKEIdentity实例关联。
The class IKEIdentitysCredential is an association that relates a set of credentials to their corresponding local IKE Identities. The class definition for IKEIdentitysCredential is as follows:
IKEIdentitysCredential类是一个关联,它将一组凭据与其相应的本地IKE标识关联起来。IKEIdentitysCredential的类定义如下:
NAME IKEIdentitysCredential DESCRIPTION IKEIdentitysCredential associates a set of credentials to their corresponding local IKEIdentity. DERIVED FROM UsersCredential (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref Credential [0..n]] Dependent [ref IKEIdentity [0..n]]
名称IKEIdentitysCredential描述IKEIdentitysCredential将一组凭据与其对应的本地IKEIdentity相关联。派生自UsersCredential(请参见[CIMCORE])抽象假属性先行项[ref Credential[0..n]]依赖项[ref IKEIdentity[0..n]]
The property Antecedent is inherited from UsersCredential and is overridden to refer to a Credential instance. The [0..n] cardinality indicates that the IKEIdentity instance may be associated with zero or more Credential instances.
属性Antecedent从UsersCredential继承,并被重写以引用凭据实例。[0..n]基数表示IKEIdentity实例可能与零个或多个凭据实例相关联。
The property Dependent is inherited from UsersCredential and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Credential instance may be associated with zero or more IKEIdentity instances.
依赖属性从UsersCredential继承,并被重写以引用IKEIdentity实例。[0..n]基数表示凭证实例可能与零个或多个IKEIdentity实例关联。
The following table specifies which classes, properties, associations and aggregations MUST or SHOULD or MAY be implemented.
下表指定了必须、应该或可能实现的类、属性、关联和聚合。
4. Policy Classes 4.1. The Class SARule..........................................MUST 4.1.1. The Property PolicyRuleName..............................MAY 4.1.1. The Property Enabled....................................MUST 4.1.1. The Property ConditionListType..........................MUST 4.1.1. The Property RuleUsage...................................MAY 4.1.1. The Property Mandatory...................................MAY 4.1.1. The Property SequencedActions...........................MUST
4. Policy Classes 4.1. The Class SARule..........................................MUST 4.1.1. The Property PolicyRuleName..............................MAY 4.1.1. The Property Enabled....................................MUST 4.1.1. The Property ConditionListType..........................MUST 4.1.1. The Property RuleUsage...................................MAY 4.1.1. The Property Mandatory...................................MAY 4.1.1. The Property SequencedActions...........................MUST
4.1.1. The Property PolicyRoles.................................MAY 4.1.1. The Property PolicyDecisionStrategy......................MAY 4.1.2 The Property ExecutionStrategy..........................MUST 4.1.3 The Property LimitNegotiation............................MAY 4.2. The Class IKERule.........................................MUST 4.2.1. The Property IdentityContexts............................MAY 4.3. The Class IPsecRule.......................................MUST 4.4. The Association Class IPsecPolicyForEndpoint...............MAY 4.4.1. The Reference Antecedent................................MUST 4.4.2. The Reference Dependent.................................MUST 4.5. The Association Class IPsecPolicyForSystem.................MAY 4.5.1. The Reference Antecedent................................MUST 4.5.2. The Reference Dependent.................................MUST 4.6. The Aggregation Class SAConditionInRule...................MUST 4.6.1. The Property GroupNumber..............................SHOULD 4.6.1. The Property ConditionNegated.........................SHOULD 4.6.2. The Reference GroupComponent............................MUST 4.6.3. The Reference PartComponent.............................MUST 4.7. The Aggregation Class PolicyActionInSARule................MUST 4.7.1. The Reference GroupComponent............................MUST 4.7.2. The Reference PartComponent.............................MUST 4.7.3. The Property ActionOrder..............................SHOULD 5. Condition and Filter Classes 5.1. The Class SACondition.....................................MUST 5.2. The Class IPHeadersFilter...............................SHOULD 5.3. The Class CredentialFilterEntry............................MAY 5.3.1. The Property MatchFieldName.............................MUST 5.3.2. The Property MatchFieldValue............................MUST 5.3.3. The Property CredentialType.............................MUST 5.4. The Class IPSOFilterEntry..................................MAY 5.4.1. The Property MatchConditionType.........................MUST 5.4.2. The Property MatchConditionValue........................MUST 5.5. The Class PeerIDPayloadFilterEntry.........................MAY 5.5.1. The Property MatchIdentityType..........................MUST 5.5.2. The Property MatchIdentityValue.........................MUST 5.6. The Association Class FilterOfSACondition...............SHOULD 5.6.1. The Reference Antecedent................................MUST 5.6.2. The Reference Dependent.................................MUST 5.7. The Association Class AcceptCredentialFrom.................MAY 5.7.1. The Reference Antecedent................................MUST 5.7.2. The Reference Dependent.................................MUST 6. Action Classes 6.1. The Class SAAction........................................MUST 6.1.1. The Property DoActionLogging.............................MAY 6.1.2. The Property DoPacketLogging.............................MAY 6.2. The Class SAStaticAction..................................MUST 6.2.1. The Property LifetimeSeconds............................MUST 6.3. The Class IPsecBypassAction.............................SHOULD
4.1.1. The Property PolicyRoles.................................MAY 4.1.1. The Property PolicyDecisionStrategy......................MAY 4.1.2 The Property ExecutionStrategy..........................MUST 4.1.3 The Property LimitNegotiation............................MAY 4.2. The Class IKERule.........................................MUST 4.2.1. The Property IdentityContexts............................MAY 4.3. The Class IPsecRule.......................................MUST 4.4. The Association Class IPsecPolicyForEndpoint...............MAY 4.4.1. The Reference Antecedent................................MUST 4.4.2. The Reference Dependent.................................MUST 4.5. The Association Class IPsecPolicyForSystem.................MAY 4.5.1. The Reference Antecedent................................MUST 4.5.2. The Reference Dependent.................................MUST 4.6. The Aggregation Class SAConditionInRule...................MUST 4.6.1. The Property GroupNumber..............................SHOULD 4.6.1. The Property ConditionNegated.........................SHOULD 4.6.2. The Reference GroupComponent............................MUST 4.6.3. The Reference PartComponent.............................MUST 4.7. The Aggregation Class PolicyActionInSARule................MUST 4.7.1. The Reference GroupComponent............................MUST 4.7.2. The Reference PartComponent.............................MUST 4.7.3. The Property ActionOrder..............................SHOULD 5. Condition and Filter Classes 5.1. The Class SACondition.....................................MUST 5.2. The Class IPHeadersFilter...............................SHOULD 5.3. The Class CredentialFilterEntry............................MAY 5.3.1. The Property MatchFieldName.............................MUST 5.3.2. The Property MatchFieldValue............................MUST 5.3.3. The Property CredentialType.............................MUST 5.4. The Class IPSOFilterEntry..................................MAY 5.4.1. The Property MatchConditionType.........................MUST 5.4.2. The Property MatchConditionValue........................MUST 5.5. The Class PeerIDPayloadFilterEntry.........................MAY 5.5.1. The Property MatchIdentityType..........................MUST 5.5.2. The Property MatchIdentityValue.........................MUST 5.6. The Association Class FilterOfSACondition...............SHOULD 5.6.1. The Reference Antecedent................................MUST 5.6.2. The Reference Dependent.................................MUST 5.7. The Association Class AcceptCredentialFrom.................MAY 5.7.1. The Reference Antecedent................................MUST 5.7.2. The Reference Dependent.................................MUST 6. Action Classes 6.1. The Class SAAction........................................MUST 6.1.1. The Property DoActionLogging.............................MAY 6.1.2. The Property DoPacketLogging.............................MAY 6.2. The Class SAStaticAction..................................MUST 6.2.1. The Property LifetimeSeconds............................MUST 6.3. The Class IPsecBypassAction.............................SHOULD
6.4. The Class IPsecDiscardAction............................SHOULD 6.5. The Class IKERejectAction..................................MAY 6.6. The Class PreconfiguredSAAction...........................MUST 6.6.1. The Property LifetimeKilobytes..........................MUST 6.7. The Class PreconfiguredTransportAction....................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8.1. The Property DFHandling.................................MUST 6.9. The Class SANegotiationAction.............................MUST 6.10. The Class IKENegotiationAction...........................MUST 6.10.1. The Property MinLifetimeSeconds.........................MAY 6.10.2. The Property MinLifetimeKilobytes.......................MAY 6.10.3. The Property IdleDurationSeconds........................MAY 6.11. The Class IPsecAction....................................MUST 6.11.1. The Property UsePFS....................................MUST 6.11.2. The Property UseIKEGroup................................MAY 6.11.3. The Property GroupId...................................MUST 6.11.4. The Property Granularity.............................SHOULD 6.11.5. The Property VendorID...................................MAY 6.12. The Class IPsecTransportAction...........................MUST 6.13. The Class IPsecTunnelAction..............................MUST 6.13.1. The Property DFHandling................................MUST 6.14. The Class IKEAction......................................MUST 6.14.1. The Property ExchangeMode ............................MUST 6.14.2. The Property UseIKEIdentityType........................MUST 6.14.3. The Property VendorID...................................MAY 6.14.4. The Property AggressiveModeGroupId......................MAY 6.15. The Class PeerGateway....................................MUST 6.15.1. The Property Name....................................SHOULD 6.15.2. The Property PeerIdentityType..........................MUST 6.15.3. The Property PeerIdentity..............................MUST 6.16. The Association Class PeerGatewayForTunnel...............MUST 6.16.1. The Reference Antecedent...............................MUST 6.16.2. The Reference Dependent................................MUST 6.16.3. The Property SequenceNumber..........................SHOULD 6.17. The Aggregation Class ContainedProposal..................MUST 6.17.1. The Reference GroupComponent...........................MUST 6.17.2. The Reference PartComponent............................MUST 6.17.3. The Property SequenceNumber............................MUST 6.18. The Association Class HostedPeerGatewayInformation........MAY 6.18.1. The Reference Antecedent...............................MUST 6.18.2. The Reference Dependent................................MUST 6.19. The Association Class TransformOfPreconfiguredAction.....MUST 6.19.1. The Reference Antecedent...............................MUST 6.19.2. The Reference Dependent................................MUST 6.19.3. The Property SPI.......................................MUST 6.19.4. The Property Direction.................................MUST 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 6.20.1. The Reference Antecedent...............................MUST
6.4. The Class IPsecDiscardAction............................SHOULD 6.5. The Class IKERejectAction..................................MAY 6.6. The Class PreconfiguredSAAction...........................MUST 6.6.1. The Property LifetimeKilobytes..........................MUST 6.7. The Class PreconfiguredTransportAction....................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8.1. The Property DFHandling.................................MUST 6.9. The Class SANegotiationAction.............................MUST 6.10. The Class IKENegotiationAction...........................MUST 6.10.1. The Property MinLifetimeSeconds.........................MAY 6.10.2. The Property MinLifetimeKilobytes.......................MAY 6.10.3. The Property IdleDurationSeconds........................MAY 6.11. The Class IPsecAction....................................MUST 6.11.1. The Property UsePFS....................................MUST 6.11.2. The Property UseIKEGroup................................MAY 6.11.3. The Property GroupId...................................MUST 6.11.4. The Property Granularity.............................SHOULD 6.11.5. The Property VendorID...................................MAY 6.12. The Class IPsecTransportAction...........................MUST 6.13. The Class IPsecTunnelAction..............................MUST 6.13.1. The Property DFHandling................................MUST 6.14. The Class IKEAction......................................MUST 6.14.1. The Property ExchangeMode ............................MUST 6.14.2. The Property UseIKEIdentityType........................MUST 6.14.3. The Property VendorID...................................MAY 6.14.4. The Property AggressiveModeGroupId......................MAY 6.15. The Class PeerGateway....................................MUST 6.15.1. The Property Name....................................SHOULD 6.15.2. The Property PeerIdentityType..........................MUST 6.15.3. The Property PeerIdentity..............................MUST 6.16. The Association Class PeerGatewayForTunnel...............MUST 6.16.1. The Reference Antecedent...............................MUST 6.16.2. The Reference Dependent................................MUST 6.16.3. The Property SequenceNumber..........................SHOULD 6.17. The Aggregation Class ContainedProposal..................MUST 6.17.1. The Reference GroupComponent...........................MUST 6.17.2. The Reference PartComponent............................MUST 6.17.3. The Property SequenceNumber............................MUST 6.18. The Association Class HostedPeerGatewayInformation........MAY 6.18.1. The Reference Antecedent...............................MUST 6.18.2. The Reference Dependent................................MUST 6.19. The Association Class TransformOfPreconfiguredAction.....MUST 6.19.1. The Reference Antecedent...............................MUST 6.19.2. The Reference Dependent................................MUST 6.19.3. The Property SPI.......................................MUST 6.19.4. The Property Direction.................................MUST 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 6.20.1. The Reference Antecedent...............................MUST
6.20.2. The Reference Dependent................................MUST 7. Proposal and Transform Classes 7.1. The Abstract Class SAProposal.............................MUST 7.1.1. The Property Name.....................................SHOULD 7.2 The Class IKEProposal......................................MUST 7.2.1. The Property CipherAlgorithm............................MUST 7.2.2. The Property HashAlgorithm..............................MUST 7.2.3. The Property PRFAlgorithm................................MAY 7.2.4. The Property GroupId....................................MUST 7.2.5. The Property AuthenticationMethod.......................MUST 7.2.6. The Property MaxLifetimeSeconds.........................MUST 7.2.7. The Property MaxLifetimeKilobytes.......................MUST 7.2.8. The Property VendorID....................................MAY 7.3. The Class IPsecProposal...................................MUST 7.4. The Abstract Class SATransform............................MUST 7.4.1. The Property TransformName............................SHOULD 7.4.2. The Property VendorID....................................MAY 7.4.3. The Property MaxLifetimeSeconds.........................MUST 7.4.4. The Property MaxLifetimeKilobytes.......................MUST 7.5. The Class AHTransform.....................................MUST 7.5.1. The Property AHTransformId..............................MUST 7.5.2. The Property UseReplayPrevention.........................MAY 7.5.3. The Property ReplayPreventionWindowSize..................MAY 7.6. The Class ESPTransform....................................MUST 7.6.1. The Property IntegrityTransformId.......................MUST 7.6.2. The Property CipherTransformId..........................MUST 7.6.3. The Property CipherKeyLength.............................MAY 7.6.4. The Property CipherKeyRounds.............................MAY 7.6.5. The Property UseReplayPrevention.........................MAY 7.6.6. The Property ReplayPreventionWindowSize..................MAY 7.7. The Class IPCOMPTransform..................................MAY 7.7.1. The Property Algorithm..................................MUST 7.7.2. The Property DictionarySize..............................MAY 7.7.3. The Property PrivateAlgorithm............................MAY 7.8. The Association Class SAProposalInSystem...................MAY 7.8.1. The Reference Antecedent................................MUST 7.8.2. The Reference Dependent.................................MUST 7.9. The Aggregation Class ContainedTransform..................MUST 7.9.1. The Reference GroupComponent............................MUST 7.9.2. The Reference PartComponent.............................MUST 7.9.3. The Property SequenceNumber.............................MUST 7.10. The Association Class SATransformInSystem.................MAY 7.10.1. The Reference Antecedent...............................MUST 7.10.2. The Reference Dependent................................MUST 8. IKE Service and Identity Classes 8.1. The Class IKEService.......................................MAY 8.2. The Class PeerIdentityTable................................MAY 8.3.1. The Property Name.....................................SHOULD
6.20.2. The Reference Dependent................................MUST 7. Proposal and Transform Classes 7.1. The Abstract Class SAProposal.............................MUST 7.1.1. The Property Name.....................................SHOULD 7.2 The Class IKEProposal......................................MUST 7.2.1. The Property CipherAlgorithm............................MUST 7.2.2. The Property HashAlgorithm..............................MUST 7.2.3. The Property PRFAlgorithm................................MAY 7.2.4. The Property GroupId....................................MUST 7.2.5. The Property AuthenticationMethod.......................MUST 7.2.6. The Property MaxLifetimeSeconds.........................MUST 7.2.7. The Property MaxLifetimeKilobytes.......................MUST 7.2.8. The Property VendorID....................................MAY 7.3. The Class IPsecProposal...................................MUST 7.4. The Abstract Class SATransform............................MUST 7.4.1. The Property TransformName............................SHOULD 7.4.2. The Property VendorID....................................MAY 7.4.3. The Property MaxLifetimeSeconds.........................MUST 7.4.4. The Property MaxLifetimeKilobytes.......................MUST 7.5. The Class AHTransform.....................................MUST 7.5.1. The Property AHTransformId..............................MUST 7.5.2. The Property UseReplayPrevention.........................MAY 7.5.3. The Property ReplayPreventionWindowSize..................MAY 7.6. The Class ESPTransform....................................MUST 7.6.1. The Property IntegrityTransformId.......................MUST 7.6.2. The Property CipherTransformId..........................MUST 7.6.3. The Property CipherKeyLength.............................MAY 7.6.4. The Property CipherKeyRounds.............................MAY 7.6.5. The Property UseReplayPrevention.........................MAY 7.6.6. The Property ReplayPreventionWindowSize..................MAY 7.7. The Class IPCOMPTransform..................................MAY 7.7.1. The Property Algorithm..................................MUST 7.7.2. The Property DictionarySize..............................MAY 7.7.3. The Property PrivateAlgorithm............................MAY 7.8. The Association Class SAProposalInSystem...................MAY 7.8.1. The Reference Antecedent................................MUST 7.8.2. The Reference Dependent.................................MUST 7.9. The Aggregation Class ContainedTransform..................MUST 7.9.1. The Reference GroupComponent............................MUST 7.9.2. The Reference PartComponent.............................MUST 7.9.3. The Property SequenceNumber.............................MUST 7.10. The Association Class SATransformInSystem.................MAY 7.10.1. The Reference Antecedent...............................MUST 7.10.2. The Reference Dependent................................MUST 8. IKE Service and Identity Classes 8.1. The Class IKEService.......................................MAY 8.2. The Class PeerIdentityTable................................MAY 8.3.1. The Property Name.....................................SHOULD
8.3. The Class PeerIdentityEntry................................MAY 8.3.1. The Property PeerIdentity.............................SHOULD 8.3.2. The Property PeerIdentityType.........................SHOULD 8.3.3. The Property PeerAddress..............................SHOULD 8.3.4. The Property PeerAddressType..........................SHOULD 8.4. The Class AutostartIKEConfiguration........................MAY 8.5. The Class AutostartIKESetting..............................MAY 8.5.1. The Property Phase1Only..................................MAY 8.5.2. The Property AddressType..............................SHOULD 8.5.3. The Property SourceAddress..............................MUST 8.5.4. The Property SourcePort.................................MUST 8.5.5. The Property DestinationAddress.........................MUST 8.5.6. The Property DestinationPort............................MUST 8.5.7. The Property Protocol...................................MUST 8.6. The Class IKEIdentity......................................MAY 8.6.1. The Property IdentityType...............................MUST 8.6.2. The Property IdentityValue..............................MUST 8.6.3. The Property IdentityContexts............................MAY 8.7. The Association Class HostedPeerIdentityTable..............MAY 8.7.1. The Reference Antecedent................................MUST 8.7.2. The Reference Dependent.................................MUST 8.8. The Aggregation Class PeerIdentityMember...................MAY 8.8.1. The Reference Collection................................MUST 8.8.2. The Reference Member....................................MUST 8.9. The Association Class IKEServicePeerGateway................MAY 8.9.1. The Reference Antecedent................................MUST 8.9.2. The Reference Dependent.................................MUST 8.10. The Association Class IKEServicePeerIdentityTable.........MAY 8.10.1. The Reference Antecedent...............................MUST 8.10.2. The Reference Dependent................................MUST 8.11. The Association Class IKEAutostartSetting.................MAY 8.11.1. The Reference Element..................................MUST 8.11.2. The Reference Setting..................................MUST 8.12. The Aggregation Class AutostartIKESettingContext..........MAY 8.12.1. The Reference Context..................................MUST 8.12.2. The Reference Setting..................................MUST 8.12.3. The Property SequenceNumber..........................SHOULD 8.13. The Association Class IKEServiceForEndpoint...............MAY 8.13.1. The Reference Antecedent...............................MUST 8.13.2. The Reference Dependent................................MUST 8.14. The Association Class IKEAutostartConfiguration...........MAY 8.14.1. The Reference Antecedent...............................MUST 8.14.2. The Reference Dependent................................MUST 8.14.3. The Property Active..................................SHOULD 8.15. The Association Class IKEUsesCredentialManagementService..MAY 8.15.1. The Reference Antecedent...............................MUST 8.15.2. The Reference Dependent................................MUST 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
8.3. The Class PeerIdentityEntry................................MAY 8.3.1. The Property PeerIdentity.............................SHOULD 8.3.2. The Property PeerIdentityType.........................SHOULD 8.3.3. The Property PeerAddress..............................SHOULD 8.3.4. The Property PeerAddressType..........................SHOULD 8.4. The Class AutostartIKEConfiguration........................MAY 8.5. The Class AutostartIKESetting..............................MAY 8.5.1. The Property Phase1Only..................................MAY 8.5.2. The Property AddressType..............................SHOULD 8.5.3. The Property SourceAddress..............................MUST 8.5.4. The Property SourcePort.................................MUST 8.5.5. The Property DestinationAddress.........................MUST 8.5.6. The Property DestinationPort............................MUST 8.5.7. The Property Protocol...................................MUST 8.6. The Class IKEIdentity......................................MAY 8.6.1. The Property IdentityType...............................MUST 8.6.2. The Property IdentityValue..............................MUST 8.6.3. The Property IdentityContexts............................MAY 8.7. The Association Class HostedPeerIdentityTable..............MAY 8.7.1. The Reference Antecedent................................MUST 8.7.2. The Reference Dependent.................................MUST 8.8. The Aggregation Class PeerIdentityMember...................MAY 8.8.1. The Reference Collection................................MUST 8.8.2. The Reference Member....................................MUST 8.9. The Association Class IKEServicePeerGateway................MAY 8.9.1. The Reference Antecedent................................MUST 8.9.2. The Reference Dependent.................................MUST 8.10. The Association Class IKEServicePeerIdentityTable.........MAY 8.10.1. The Reference Antecedent...............................MUST 8.10.2. The Reference Dependent................................MUST 8.11. The Association Class IKEAutostartSetting.................MAY 8.11.1. The Reference Element..................................MUST 8.11.2. The Reference Setting..................................MUST 8.12. The Aggregation Class AutostartIKESettingContext..........MAY 8.12.1. The Reference Context..................................MUST 8.12.2. The Reference Setting..................................MUST 8.12.3. The Property SequenceNumber..........................SHOULD 8.13. The Association Class IKEServiceForEndpoint...............MAY 8.13.1. The Reference Antecedent...............................MUST 8.13.2. The Reference Dependent................................MUST 8.14. The Association Class IKEAutostartConfiguration...........MAY 8.14.1. The Reference Antecedent...............................MUST 8.14.2. The Reference Dependent................................MUST 8.14.3. The Property Active..................................SHOULD 8.15. The Association Class IKEUsesCredentialManagementService..MAY 8.15.1. The Reference Antecedent...............................MUST 8.15.2. The Reference Dependent................................MUST 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
8.16.1. The Reference Antecedent...............................MUST 8.16.2. The Reference Dependent................................MUST 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 8.17.1. The Reference Antecedent...............................MUST 8.17.2. The Reference Dependent................................MUST 8.18. The Association Class IKEIdentitysCredential..............MAY 8.18.1. The Reference Antecedent...............................MUST 8.18.2. The Reference Dependent................................MUST
8.16.1. The Reference Antecedent...............................MUST 8.16.2. The Reference Dependent................................MUST 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 8.17.1. The Reference Antecedent...............................MUST 8.17.2. The Reference Dependent................................MUST 8.18. The Association Class IKEIdentitysCredential..............MAY 8.18.1. The Reference Antecedent...............................MUST 8.18.2. The Reference Dependent................................MUST
This document only describes an information model for IPsec policy. It does not detail security requirements for storage or delivery of said information.
本文档仅描述IPsec策略的信息模型。本文件未详细说明上述信息的存储或交付的安全要求。
Physical models derived from this information model MUST implement the relevant security for storage and delivery. Most of the classes (e.g., IpHeadersFilter, SAAction,...) MUST at least provided the integrity service; other pieces of information MUST also receive the confidentiality service (e.g., SharedSecret as described in the classes PeerIdentityEntry and PreconfiguredSAAction).
从该信息模型派生的物理模型必须实现存储和交付的相关安全性。大多数类别(如iPhonederFilter、SAAction等)必须至少提供完整性服务;其他信息也必须接受保密服务(例如,类PeerIdentityEntry和预配置动作中描述的SharedSecret)。
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。
Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat.
可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
[COMP] Shacham, A., Monsour, B., Pereira, R. and M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 3173, September 2001.
[COMP]Shacham,A.,Monsour,B.,Pereira,R.和M.Thomas,“IP有效载荷压缩协议(IPComp)”,RFC 31732001年9月。
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
[ESP]Kent,S.和R.Atkinson,“IP封装安全有效负载(ESP)”,RFC 2406,1998年11月。
[AH] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998.
[AH]Kent,S.和R.Atkinson,“IP认证头”,RFC 2402,1998年11月。
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998.
[DOI]Piper,D.,“ISAKMP解释的互联网IP安全域”,RFC 2407,1998年11月。
[IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
[IKE]Harkins,D.和D.Carrel,“互联网密钥交换(IKE)”,RFC 2409,1998年11月。
[PCIM] Moore, B., Ellesson, E., Strassner, J. and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001.
[PCIM]Moore,B.,Ellesson,E.,Strassner,J.和A.Westerinen,“政策核心信息模型——版本1规范”,RFC 3060,2001年2月。
[PCIME] Moore, B., Editor, "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003.
[PCIME]Moore,B.,编辑,“政策核心信息模型(PCIM)扩展”,RFC 34602003年1月。
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[CIMCORE] DMTF Common Information Model - Core Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_Core25.mof
[CIMCORE] DMTF Common Information Model - Core Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_Core25.mof
[CIMUSER] DMTF Common Information Model - User-Security Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_User25.mof
[CIMUSER] DMTF Common Information Model - User-Security Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_User25.mof
[CIMNETWORK] DMTF Common Information Model - Network Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_Network25.mof
[CIMNETWORK] DMTF Common Information Model - Network Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_Network25.mof
[IPSO] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991.
[IPSO]Kent,S.,“美国国防部互联网协议的安全选项”,RFC 1108,1991年11月。
[IPSEC] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[IPSEC]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[LDAP] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.
[LDAP]Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。
[COPS] Durham, D., Ed., Boyle, J., Cohen, R., Herzog, S., Rajan, R. and A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000.
[COPS]达勒姆,D.,Ed.,Boyle,J.,Cohen,R.,Herzog,S.,Rajan,R.和A.Sastry,“COPS(公共开放政策服务)协议”,RFC 27482000年1月。
[COPSPR] Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie, K., Herzog, S., Reichmeyer, R., Yavatkar, R. and A. Smith, "COPS Usage for Policy Provisioning (COPS-PR)", RFC 3084, March 2001.
[COPSPR]Chan,K.,Seligson,J.,Durham,D.,Gai,S.,McCloghrie,K.,Herzog,S.,Reichmeyer,R.,Yavatkar,R.和A.Smith,“COPS用于策略设置(COPS-PR)”,RFC 30842001年3月。
[DMTF] Distributed Management Task Force, http://www.dmtf.org/
[DMTF] Distributed Management Task Force, http://www.dmtf.org/
The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification.
本文中的观点和规范是作者的观点和规范,不一定是其雇主的观点和规范。作者及其雇主明确否认对因正确或不正确实施或使用本规范而产生的任何问题负责。
The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for their contributions to this IPsec policy model.
作者要感谢Mike Jeronimo、Ylian Saint Hilaire、Vic Lortz、William Dixon、Man Li、Wes Hardaker和Ricky Charlet对IPsec策略模型的贡献。
Additionally, this document would not have been possible without the preceding IPsec schema documents. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.
此外,如果没有前面的IPsec架构文档,本文档是不可能的。为此,感谢罗布·亚当斯、帕塔·巴塔查里亚、威廉·迪克森、罗伊·佩雷拉和拉朱·拉詹。
Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124
杰米·杰森英特尔公司MS JF3-206 2111东北希尔斯博罗25大道25号,或97124
EMail: jamie.jason@intel.com
EMail: jamie.jason@intel.com
Lee Rafalow IBM Corporation, BRQA/502 4205 So. Miami Blvd. Research Triangle Park, NC 27709
Lee Rafalow IBM公司,BRQA/502 4205 So。迈阿密大道。研究三角公园,北卡罗来纳州27709
EMail: rafalow@watson.ibm.com
EMail: rafalow@watson.ibm.com
Eric Vyncke Cisco Systems 7 De Kleetlaan B-1831 Diegem Belgium
Eric Vyncke Cisco Systems 7 De Kleetlaan B-1831 Diegem比利时
EMail: evyncke@cisco.com
EMail: evyncke@cisco.com
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。