2.2.1.4.1 ipsecNegotiationPolicy{GUID} Object Description
The following table specifies the attributes of the ipsecNegotiationPolicy class object, as specified in [MS-ADSC], [MS-ADA1], and [MS-ADA3].
|
Name |
Type |
Description |
|---|---|---|
|
objectClass |
LDAPString |
The Directory String that contains the object class. A typical value is like the following: "ipsecNegotiationPolicy". This attribute is only used during policy creation. |
|
ipsecName |
LDAPString |
The ipsecName attribute for ipsecNegotiationPolicy objects. This MUST NOT be set to NULL.<20> |
|
Description |
LDAPString |
The user-constructed Directory String that is intended to contain a description of the negotiation policy. A typical value is like the following: "Secure the traffic with ESP(3DES)". |
|
whenChanged |
UTC–coded string |
The Unicode-generalized time syntax of the time and date that the policy was last changed. This value is set by the Active Directory server. |
|
ipsecID |
LDAPString |
The Directory String that contains the curly braced GUID string value of this ipsecNegotiationPolicy object. A typical value is like the following: "{6A1E5C3F-72B7-11d2-ACF0-02603625CAFE}". |
|
distinguishedName |
Distinguished name |
The Directory String description of the directory location (DN) of this Negotiation policy object. This MUST be set by the protocol. A typical value is like the following: "CN=ipsecNegotiationPolicy{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security,CN=System,DC=myDomain,DC=contoso,DC=com". |
|
ipsecNegotiationPolicyAction |
LDAPString |
The Directory String of the GUID that represents the policy action that needs to be taken based on a filter. For more information, see the following ipsecNegotiationPolicyAction table. A typical value is like the following: "{3F91A819-7647-11D1-864D-D46A00000000}". |
|
ipsecNegotiationPolicyType |
LDAPString |
The Directory String of the GUID that represents the filter action type profile to use when interpreting the policy. For more information, see the following ipsecNegotiationPolicyType table. A typical value is like the following: "{62F49E10-6C37-11D1-864C-14A300000000}". |
|
ipsecOwnersReference |
List of distinguished names |
A list composed of Directory String references to the owner ipsecNFA objects that are associated with this Negotiation policy object. The list MUST be composed of DNs in the format of [RFC2251]. The separator between two DNs is 2 bytes of '0'. For example: DN1 2bytesof0 DN2, where DN1 and DN2 are distinguished names. |
|
ipsecDataType |
LDAPString |
The identifier that describes the format of the following ipsecData attribute. This MUST be the Directory String representation of the unsigned integer value 0x100. |
|
ipsecData |
Octet string |
The octet string representation of the binary data that specifies additional policy data stored, as described in the following ipsecData-specific table. |
Note The ipsecNegotiationPolicy object as specified in LDAP messages ([MS-ADSC], section 2.73, "Class ipsecNegotiationPolicy") is encoded using BER, as defined in [RFC2251] section 5.1.
The following tables specify the ipsecNegotiationPolicyType, ipsecNegotiationPolicyAction, and ipsecData attribute-specific sections, corresponding names, and the data types for the assigned values for the purpose of IPsec policy configuration.
The values of these settings MUST NOT be interpreted by this protocol; that is, they are applied as is to the IPsec component, which can interpret them independently of the protocol or mechanism that was used to configure them. A description of the interpretation by the IPsec component is provided for informative purposes (as opposed to the syntax, which is normative).
ipsecNegotiationPolicyType: The ipsecNegotiationPolicyType value description. The value MUST be one of the following.
|
Value |
Meaning |
|---|---|
|
{62F49E13-6C37-11D1-864C-14A3-00000000} |
This Negotiation policy is to use the default response rule action type for SA negotiation. |
|
{62F49E10-6C37-11D1-864C-14A3-00000000} |
This is a standard negotiation type; that is, it is not a default response. |
ipsecNegotiationPolicyAction: The ipsecNegotiationPolicyAction value description. The value MUST be one of the following.
|
Value |
Meaning |
|---|---|
|
{3F91A819-7647-11D1-864D-D46A00000000} |
Block: The action to prevent the IP traffic from flowing needs to occur. |
|
{8A171DD2-77E3-11d1-8659-A04F00000000} |
Permit: The traffic is to be allowed to flow unhindered and unprotected by IPsec encapsulation. |
|
{8A171DD3-77E3-11D1-8659-A04F00000000} |
Secure: The traffic is to be protected by IPsec encapsulation (for example, authentication header (AH) and/or Encapsulating Security Payload (ESP) encapsulation). |
|
{3F91A81A-7647-11D1-864D-D46A00000000} |
Inbound pass-through: Allow traffic to be accepted if it is not IPsec-protected; however, initiate IKE to peer and evaluate the corresponding response against the traffic filters. |
IPsecData Attribute description:
Note that all fields specified in the following tables MUST appear in little-endian byte order.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Negotiation-Policy-ID (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
DataLength |
|||||||||||||||||||||||||||||||
|
Security-Offer-Count |
|||||||||||||||||||||||||||||||
|
Security-Offer-Data (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Negotiation-Policy-ID (16 bytes): The identifier that specifies this BLOB as an NFA policy that describes the policy. MUST be the GUID whose string representation is "{80DC20B9-2EC8-11D1-A89E-00A0248D3021}".
DataLength (4 bytes): This is the length of the data that follows. This MUST be an unsigned integer. This field is always 1 byte less than the size of the following data encoded as an octet stream.
Security-Offer-Count (4 bytes): The number of security offers that are specified in the Security-Offer-Data that follows.
Security-Offer-Data (variable): The binary data that specifies additional policy data stored as specified in the following binary format. This binary data is in multiples of 80 bytes.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Lifetime-Seconds
Lifetime-KBytes
Negotiation-Options
PFS-QM-Required
Algorithm-Offer-Count
Algorithm-Offer-Data (60 bytes)
...
...
-
Lifetime-Seconds (4 bytes): The QM lifetime, as defined in [RFC2409], in seconds, that IKE is to negotiate. This MUST be an unsigned integer.
-
Lifetime-KBytes (4 bytes): The QM lifetime, in kilobytes, that IKE is to negotiate. This MUST be an unsigned integer.
-
Negotiation-Options (4 bytes): The policy specification modifiers to apply to the negotiation policy. This MUST be 0x00000000.
-
PFS-QM-Required (4 bytes): Whether or not IKE is to negotiate PFS when negotiating QM. This MUST be one of the following values.
-
Value
Meaning
0x00000000
QM-PFS is used.
0x00000001
QM-PFS is not used.
-
-
Algorithm-Offer-Count (4 bytes): The number of algorithm offers that are specified in the Algorithm-Offer-Data that follows; the maximum number supported is 3. This MUST be an unsigned integer.
-
Algorithm-Offer-Data (60 bytes): The binary data that specifies additional policy data are stored in three sets of the following binary format. For fields in this data, see [RFC2402] section 3.2 and [RFC2406] section 3.2. The size of this field is always 60 bytes, of which only the first Algorithm-Offer-Count *20 bytes are significant, any other bytes in this field MUST be ignored.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Algorithm-Identifier
ESP-Integrity-Identifier
Offer-Type
Zero1
...
-
Algorithm-Identifier (4 bytes): The IPsec framing algorithm identifier; either AH or ESP.
-
If AH is used (as specified by Offer-Type), it MUST have one of the values specified in the following table.
-
Value
Meaning
AH[MD5]
0x00000001
AH framing with MD5.
AH[SHA-1]
0x00000002
AH framing with SHA-1.
-
If ESP is used (as specified by Offer-Type), it MUST have one of the values specified in the following table.
-
Value
Meaning
ESP[null]
0x00000001
ESP encapsulation with no encryption.
ESP[DES]
0x00000002
ESP encapsulation with Data Encryption Standard (DES) encryption.
ESP[3DES]
0x00000003
ESP encapsulation with Triple DES (3DES) encryption.
-
ESP-Integrity-Identifier (4 bytes): Specifies the Hash-based Message Authentication Code (HMAC) to use if ESP is specified by Offer-Type. This field MUST be one of the following values.
-
-
Value
Meaning
0x00000000
None (ESP is not used).
0x00000001
ESP integrity with MD5.
0x00000002
ESP integrity with SHA-1.
-
-
-
Offer-Type (4 bytes): The offer type that is presented; either Authentication or Encryption. This MUST be one of the following values.
-
-
Value
Meaning
0x00000001
AH encapsulation.
0x00000002
ESP encapsulation.
-
-
-
Zero1 (8 bytes): This value MAY be filled with 0x00 and MUST be ignored when read.
-