2.2.1.3.1 ipsecNFA{GUID} Object Description
The following table specifies the attributes of the ipsecNFA class object, as specified in [MS-ADSC], [MS-ADA1], and [MS-ADA3].
|
Name |
Type |
Description |
|---|---|---|
|
objectClass |
LDAPString |
The Directory String that contains the object class. A typical value is "ipsecNFA". This attribute is only used during policy creation. |
|
ipsecName |
LDAPString |
The user-constructed Directory String that contains the name for this filter group. A typical value is "All Traffic filters". |
|
description |
LDAPString |
The user-constructed Directory String that is intended to contain a description of the filter group. A typical value is "Me to Any filters". |
|
whenChanged |
UTC-coded string |
The Unicode-generalized time syntax of the time and date that the policy was last changed. This value is set by the Active Directory server. |
|
ipsecID |
LDAPString |
The Directory String that contains the curly braced GUID string value of this ipsecNFA object. A typical value looks like "{6A1E5C3F-72B7-11D2-ACF0-02603625CAFE}". |
|
distinguishedName |
Distinguished name |
The Directory String description of the directory location of the NFA policy object. This MUST be in the DN format of [RFC2251]. This MUST be set by the protocol. A typical value is "CN=ipsecNFA{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security,CN= System,DC=myDomain,DC=contoso,DC=com". |
|
ipsecFilterReference |
Distinguished name |
The Directory String reference to the ipsecFilter object that is associated with this filter list. This MUST be in the DN format of [RFC2251]. If multiple filters are associated with this NFA, this filter is one of them. Other associated filters can be found by analyzing the ipsecOwnersReference of the filter. A typical value is "CN=ipsecFilter{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security, CN=System, DC=myDomain, DC=contoso, DC=com". This attribute is not used during policy creation; it is only used during policy modification. |
|
ipsecNegotiationPolicy Reference |
Distinguished name |
The Directory String reference to the single ipsecNegotiationPolicy object that is associated with this filter list policy. This MUST be in the DN format of [RFC2251]. A typical value is "CN=ipsecNegotiationPolicy{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security,CN=System, DC=myDomain, DC=contoso, DC=com". This attribute is not used during policy creation; it is only used during policy modification. |
|
ipsecOwnersReference |
Distinguished name |
The Directory String reference to the owner IPsec policy object with which this NFA object is associated. This MUST be in the DN format of [RFC2251]. A typical value is "CN=ipsecPolicy{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security, CN=System, DC=myDomain, DC=contoso,DC=com". |
|
ipsecDataType |
LDAPString |
The identifier that describes the format of the following ipsecData attribute; this MUST be the Directory String representation of the unsigned integer value 0x100. |
|
ipsecData |
Octet string |
The octet string representation of the binary data that specifies additional policy data that is stored as described in the following ipsecData-specific table. |
Note The ipsecNFA object as specified in LDAP messages ([MS-ADSC], section 2.74, "Class ipsecNFA") is encoded using BER, as defined in [RFC2251] section 5.1.
The following table specifies the ipsecData attribute's specific sections, corresponding names, and the data types for the assigned values for the purpose of IPsec policy configuration.
The values of these settings MUST be applied as is to the IPsec component; they MUST NOT be interpreted by this protocol. The IPsec component that later interprets these settings is independent of the protocol or mechanism that is used to configure them. The syntax of these settings is normative, but a description of the IPsec component interpretation is provided for informative purposes only.
Note that all fields specified in the following tables MUST appear in little-endian byte order.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
NFA-Policy-ID (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Data-Length |
|||||||||||||||||||||||||||||||
|
Auth-Method-Count |
|||||||||||||||||||||||||||||||
|
Auth-Methods (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Interface-Type |
|||||||||||||||||||||||||||||||
|
Interface-Name-Length |
|||||||||||||||||||||||||||||||
|
Interface-Name (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Tunnel-Address |
|||||||||||||||||||||||||||||||
|
Is-Tunnel-Specifier |
|||||||||||||||||||||||||||||||
|
Is-Active-Specifier |
|||||||||||||||||||||||||||||||
|
Tunnel-End-Point-Name-Length |
|||||||||||||||||||||||||||||||
|
Tunnel-End-Point-Name (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Alt-Auth-Method-Id1 (16 bytes, optional) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Alt-Auth-Num-Methods-Count (optional) |
|||||||||||||||||||||||||||||||
|
Alt-Auth-Method-Data (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Alt-Auth-Method-Id2 (16 bytes, optional) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Zero1 |
|||||||||||||||||||||||||||||||
|
Alt-Auth-Method-Flags (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
IPv6-Tunnel-Mode-ID (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
IPv6-Tunnel-Mode-Address (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
NFA-Policy-ID (16 bytes): The identifier that specifies this BLOB as an NFA policy describing the policy; this MUST be the GUID whose string representation is "{11BBAC00-498D-11D1-8639-00A0248D3021}".
Data-Length (4 bytes): This MUST be the length, in bytes, of the data that follows up to and including Tunnel-End-Point-Name. The data beyond Tunnel-End-Point-Name is not accounted for in the Data-Length field. This MUST be an unsigned integer value. This field is always 1 byte less than the size of the following data encoded as an octet stream.<6>
Auth-Method-Count (4 bytes): This MUST be the number of Auth-Method binary values that follow. This MUST be an unsigned integer value.
Auth-Methods (variable): The binary data that specifies additional policy data. The length of this data is determined by the Auth-Method-Count field value and the Auth-Method data structure length; more specifically, the Auth-Method data structure repeats Auth-Method-Count times.
-
The following binary format specifies the contents of the Auth-Method structure.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Auth-Type
Auth-Length
Auth-Method-Data (variable)
...
-
Auth-Type (4 bytes): The type of authentication that IKE performs for the NFA policy, as defined in [RFC2409] and [GSS]. This field MUST be one of the following values.
-
-
Value
Meaning
0x00000001
Authenticate by using a pre-shared key (PSK).
0x00000003
Authenticate by using an X.509 certificate.
0x00000005
Authenticate by using the Kerberos authentication system.
-
-
-
Auth-Length (4 bytes): This MUST be the length, in bytes, of the following Auth-Method-Data field. This MUST be an unsigned integer.
-
Auth-Method-Data (variable): The specific details of the Auth-Type that IKE uses, as defined in [GSS]. This MUST be one of the following values, based on the value of Auth-Type. It is recommended that the Auth-Method-Data be privacy protected (encrypted) to ensure that it is not susceptible to eavesdropping. This is particularly important for the pre-shared key value because it is not protected by a hash.
-
Auth-Type value
Auth-Method-Data value and meaning
0x00000001
Pre-shared key. The null-terminated Unicode text string to use for the pre-shared key (PSK) authentication.
0x00000003
X.509 certificate. The Unicode text string certificate name of the X.509 certificate to use to authenticate.<7>
0x00000005
Kerberos. The Auth-Method-Data field MUST be 0x0000.
-
Interface-Type (4 bytes): The type of interface to which the IPsec component MUST apply the NFA policy. This MUST be one of the following values.
-
Value
Meaning
0xFFFFFFFF
Apply to dial-up interfaces only.
0xFFFFFFFE
Apply to LAN interfaces only.
0xFFFFFFFD
Apply to all interfaces.
Interface-Name-Length (4 bytes): An unsigned integer that MUST be the length, in bytes, of the following Interface-Name field.
Interface-Name (variable): The Unicode string that names a particular interface.
Tunnel-Address (4 bytes): This MAY<8> be the IPv4 IP address of the IPsec tunnel mode endpoint to which the IPsec component will apply this NFA policy (if applicable). The Is-Tunnel-Specifier field indicates whether this field is to be interpreted by the IPsec component.
Is-Tunnel-Specifier (4 bytes): An indicator that this NFA policy applies to an IPsec tunnel. Used by IKE to negotiate SAs. This MUST be one of the following values.
-
Value
Meaning
0x00000000
This NFA is not a tunnel filter.
0x00000001
This filter is a tunnel filter.
Is-Active-Specifier (4 bytes): An indicator that this NFA policy is active and part of a policy. This MUST be one of the following values.
-
Value
Meaning
0x0000000
This NFA is not active.
0x0000001
This filter is active.
Tunnel-End-Point-Name-Length (4 bytes): This MUST be the length, in bytes, of the Tunnel-End-Point-Name field. This MUST be an unsigned integer.
Tunnel-End-Point-Name (variable): The Unicode string that names the tunnel mode endpoint (if applicable). This is applicable if the Is-Tunnel-Specifier field indicates that this is a tunnel, and the Tunnel-End-Point-Name-Length field indicates that this field has data.
Alt-Auth-Method-Id1 (16 bytes): This is an optional field that specifies this BLOB as an alternate authentication method. This SHOULD<9> be the GUID whose string representation is "{01010101-0101-0101-0101-01010101}". If the GUID is specified, Alt-Auth-Num-Methods-Count and Alt-Auth-Method-Data are also specified.
Alt-Auth-Num-Methods-Count (4 bytes): This is an optional field that SHOULD<10> specify the number of alternate authentication methods that follow. This value MUST be equal to Auth-Method-Count field.
Alt-Auth-Method-Data (variable): This optional field SHOULD<11> be the binary data that specifies additional authentication method policy data. The length of this data is determined by the Alt-Auth-Num-Methods-Count value and the Alt-Auth-Method-Data structure length. This data structure repeats for the value of Alt-Auth-Num-Methods-Count. The following binary format specifies the contents of this field.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Alt-Auth-Type (optional)
Alt-Auth-Method-Length (optional)
Alt-Auth-Method-Value (variable)
...
-
Alt-Auth-Type (4 bytes): This optional field<12> is the type of authentication to perform for the NFA policy. This MUST be one of the following values:
-
Value
Meaning
0x00000001
Authenticate by using a pre-shared key (PSK).
0x00000003
Authenticate by using an X.509 certificate.
0x00000005
Authenticate by using the Kerberos authentication system.
-
-
Alt-Auth-Method-Length (4 bytes): This is an optional field. This field is the length, in bytes, of the following Alt-Auth-Method-Value field. This field SHOULD<13> be an unsigned integer.
-
Alt-Auth-Method-Value (variable): An optional field, containing the specific details of the Auth-Type field. This SHOULD<14> be one of the following values.
-
Value
Meaning
0x00000001
Pre-shared key. The null-terminated Unicode text string to use for the pre-shared key (PSK) authentication. For example, "Open-Sesame".
0x00000003
X.509 certificate. The Unicode text string certificate name of the X.509 certificate to use to authenticate.<15>
0x00000005
Kerberos. The Auth-Method-Data field MUST be 0x00.
-
Alt-Auth-Method-Id2 (16 bytes): This is an optional field. The identifier that specifies this BLOB as an alternate authentication method; This SHOULD<16> be the GUID whose string representation is "{01010101-0101-0101-0101-01010102}". If the GUID is specified, the Alt-Auth-Method-Flags is specified.
Zero1 (4 bytes): This value MAY be filled with 0x00 and MUST be ignored when read.
Alt-Auth-Method-Flags (variable): This is an optional field that occurs Alt-Auth-Num-Methods-Count number of times. The length of this field is Alt-Auth-Num-Methods-Count * 4 bytes. If the Alt-Auth-Method-Value is an X.509 certificate, this field describes the behavior of the certificate. This field SHOULD<17> be one of the following values.
-
Value
Meaning
0x00000000
Auth method is not a certificate.
0x00000001
Enable certificate to account mapping.
0x00000002
Exclude CA name from certificate request.
IPv6-Tunnel-Mode-ID (16 bytes): The identifier that specifies this NFA contains an optional IPv6 address for the tunnel endpoint. If this field is present, it supersedes the (IPv4) Tunnel-Address field value. This SHOULD<18> be the GUID whose string representation is "{01010101-0101-0101-0101-01010103}".
IPv6-Tunnel-Mode-Address (16 bytes): This SHOULD<19> be the IPv6 address of the IPsec tunnel mode endpoint to which the IPsec component will apply this NFA (if applicable).