IPsecPolicy\CIM_IPsecTunnelAction.mof.mof (HTML version)

Return to index
CIM_IPsecTunnelAction Superclass: CIM_IPsecAction
IPsecTunnelAction is used to specify that a tunnel-mode SA should be negotiated.
Qualifiers:Version ( "2.8.0" ) MappingStrings { "IPSP Policy Model.IETF|IPsecTunnelAction" } UMLPackagePath ( "CIM::IPsecPolicy" )
Parameters (local in grey)
ValueMap { "2" , "3" , "4" }
Values { "Copy from Internal to External IP Header" , "Set DF Bit in External Header to 1" , "Set DF Bit in External Header to 0" }
MappingStrings { "IPSP Policy Model.IETF|" "PreconfiguredTunnelAction.DFHandling" }
ModelCorrespondence { "CIM_IPsecSAEndpoint.DFHandling" }
uint16 DFHandling ;
DFHandling controls how the Don't Fragment bit is managed by the tunnel.
ModelCorrespondence { "CIM_IPsecAction.Granularity" }
string OtherGranularity ;
Description of the granularity when the value 1 ('Other') is specified for the property, Granularity.
ValueMap { "1" , "2" , "3" , "4" , "5" }
Values { "Other" , "Subnet" , "Address" , "Protocol" , "Port" }
MappingStrings { "IPSP Policy " "Model.IETF|IPsecAction.Granularity" }
ModelCorrespondence { "CIM_IPsecAction.OtherGranularity" }
uint16 Granularity ;
The property Granularity is an enumeration that specifies how the selector for the SA should be derived from the traffic that triggered the negotiation. Its values are:
1=Other; See the OtherGranularity property for more information
2=Subnet; The source and destination subnet masks are used
3=Address; The source and destination IP addresses of the triggering packet are used
4=Protocol; The source and destination IP addresses and the IP protocol of the triggering packet are used
5=Port; The source and destination IP addresses, IP protocol and the source and destination layer 4 ports of the triggering packet are used.
ValueMap { "0" , "1" , "2" , "3" , "4" , "5" , ".." , "0x8000.." }
Values { "No Group/Non-Diffie-Hellman Exchange" , "DH-768 bit prime" , "DH-1024 bit prime" , "EC2N-155 bit field element" , "EC2N-185 bit field element" , "DH-1536 bit prime" , "Standard Group - Reserved" , "Vendor Reserved" }
MappingStrings { "IPSP Policy Model.IETF|IPsecAction.GroupID" , "RFC2412.IETF|Appendix E" }
ModelCorrespondence { "CIM_IPsecAction.VendorID" , "CIM_IKESAEndpoint.GroupID" }
uint16 GroupId ;
GroupId specifies the PFS group ID to use. This value is only used if PFS is True and UsePhase1Group is False. If the GroupID number is from the vendor-specific range (32768-65535), the VendorID qualifies the group number. Well-known group identifiers from RFC2412, Appendix E, are: Group 1='768 bit prime', Group 2='1024 bit prime', Group 3='Elliptic Curve Group with 155 bit field element', Group 4='Large Elliptic Curve Group with 185 bit field element', and Group 5='1536 bit prime'.
MappingStrings { "IPSP Policy Model.IETF|IPsecAction.UsePFS" }
ModelCorrespondence { "CIM_IPsecSAEndpoint.PFSInUse" }
boolean UsePFS ;
UsePFS indicates whether perfect forward secrecy is required when refreshing keys.
MappingStrings { "IPSP Policy " "Model.IETF|IPsecAction.UseIKEGroup" }
boolean UsePhase1Group ;
UsePhase1Group indicates that the phase 2 GroupId should be the same as that used in the phase 1 key exchange. If UsePFS is False, then this property is ignored. Note that a value of False indicates that the property GroupId will contain the key exchange group to use for phase 2.
MappingStrings { "IPSP Policy Model.IETF|IPsecAction.VendorID" }
ModelCorrespondence { "CIM_IPsecAction.GroupId" , "CIM_IKESAEndpoint.VendorID" }
string VendorID ;
The property VendorID is used together with the property GroupID (when it is in the vendor-specific range) to identify the key exchange group. VendorID is ignored unless UsePFS is true, AND UsePhase1Group is False, AND GroupID is in the vendor-specific range (32768-65535).
MappingStrings { "IPSP Policy Model.IETF|" "IKENegotiationAction.IdleDurationSeconds" }
Units ( "Seconds" )
ModelCorrespondence { "CIM_SecurityAssociationEndpoint.IdleDurationSeconds" }
uint64 IdleDurationSeconds = 0 ;
IdleDurationSeconds is the time an SA can remain idle (i.e., no traffic protected using the security association) before it is automatically deleted. The default (zero) value indicates that there is no idle duration timer and that the SA is deleted based upon the SA seconds and kilobyte lifetimes. Any non-zero value indicates the number of seconds that the SA may remain unused.
MappingStrings { "IPSP Policy Model.IETF|" "IKENegotiationAction.MinLifetimeKilobytes" }
Units ( "KiloBytes" )
ModelCorrespondence { "CIM_SecurityAssociationEndpoint.LifetimeKilobytes" }
uint64 MinLifetimeKilobytes = 0 ;
MinLifetimeKilobytes prevents certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with expensive Diffie-Hellman operations. The property specifies the minimum lifetime, in kilobytes, that will be accepted from the peer. A value of zero (the default) indicates that there is no minimum value. A non-zero value specifies the minimum kilobytes lifetime. Note that there has been considerable debate regarding the usefulness of applying kilobyte lifetimes to phase 1 security associations, so it is likely that this property will only apply to the subclass, IPsecAction.
MappingStrings { "IPSP Policy Model.IETF|" "IKENegotiationAction.MinLifetimeSeconds" }
Units ( "Seconds" )
ModelCorrespondence { "CIM_SecurityAssociationEndpoint.LifetimeSeconds" }
uint64 MinLifetimeSeconds = 0 ;
MinLifetimeSeconds prevents certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with expensive Diffie-Hellman operations. The property specifies the minimum lifetime, in seconds, that will be accepted from the peer. A value of zero (the default) indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime.
MappingStrings { "IPSP Policy " "Model.IETF|SAAction.DoPacketLogging" }
ModelCorrespondence { "CIM_SecurityAssociationEndpoint.PacketLoggingActive" }
boolean DoPacketLogging ;
DoPacketLogging causes a log message to be generated when the action is applied to a packet.
MaxLen ( 256 )
Key
string PolicyActionName ;
A user-friendly name of this PolicyAction.
MaxLen ( 256 )
Key
string SystemCreationClassName ;
The name of the class or the subclass used in the creation of the System object in whose scope this PolicyAction is defined.

This property helps to identify the System object in whose scope this instance of PolicyAction exists. For a rule-specific PolicyAction, this is the System in whose context the PolicyRule is defined. For a reusable PolicyAction, this is the instance of PolicyRepository (which is a subclass of System) that holds the Action.

Note that this property, and the analogous property SystemName, do not represent propagated keys from an instance of the class System. Instead, they are properties defined in the context of this class, which repeat the values from the instance of System to which this PolicyAction is related, either directly via the PolicyActionInPolicyRepository association or indirectly via the PolicyActionInPolicyRule aggregation.
MaxLen ( 256 )
Key
string PolicyRuleCreationClassName ;
For a rule-specific PolicyAction, the CreationClassName of the PolicyRule object with which this Action is associated. For a reusable PolicyAction, a special value, 'NO RULE', should be used to indicate that this Action is reusable and not associated with a single PolicyRule.
MaxLen ( 256 )
Key
string SystemName ;
The name of the System object in whose scope this PolicyAction is defined.

This property completes the identification of the System object in whose scope this instance of PolicyAction exists. For a rule-specific PolicyAction, this is the System in whose context the PolicyRule is defined. For a reusable PolicyAction, this is the instance of PolicyRepository (which is a subclass of System) that holds the Action.
boolean DoActionLogging ;
DoActionLogging causes a log message to be generated when the action is performed.
MaxLen ( 256 )
Key
string CreationClassName ;
CreationClassName indicates the name of the class or the subclass used in the creation of an instance. When used with the other key properties of this class, this property allows all instances of this class and its subclasses to be uniquely identified.
MaxLen ( 256 )
Key
string PolicyRuleName ;
For a rule-specific PolicyAction, the name of the PolicyRule object with which this Action is associated. For a reusable PolicyAction, a special value, 'NO RULE', should be used to indicate that this Action is reusable and not associated with a single PolicyRule.
string PolicyKeywords [ ] ;
An array of keywords for characterizing / categorizing policy objects. Keywords are of one of two types:
- Keywords defined in this and other MOFs, or in DMTF white papers. These keywords provide a vendor- independent, installation-independent way of characterizing policy objects.
- Installation-dependent keywords for characterizing policy objects. Examples include 'Engineering', 'Billing', and 'Review in December 2000'.
This MOF defines the following keywords: 'UNKNOWN', 'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', 'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These concepts are self-explanatory and are further discussed in the SLA/Policy White Paper. One additional keyword is defined: 'POLICY'. The role of this keyword is to identify policy-related instances that may not be otherwise identifiable, in some implementations. The keyword 'POLICY' is NOT mutually exclusive of the other keywords specified above.
string CommonName ;
A user-friendly name of this policy-related object.
string ElementName ;
A user-friendly name for the object. This property allows each instance to define a user-friendly name in addition to its key properties, identity data, and description information.
Note that the Name property of ManagedSystemElement is also defined as a user-friendly name. But, it is often subclassed to be a Key. It is not reasonable that the same property can convey both identity and a user-friendly name, without inconsistencies. Where Name exists and is not a Key (such as for instances of LogicalDevice), the same information can be present in both the Name and ElementName properties.
MaxLen ( 64 )
string Caption ;
The Caption property is a short textual description (one- line string) of the object.
string Description ;
The Description property provides a textual description of the object.