A change of scenery

This blog has now relocated to a Wordpress installation on the Isode site. The new address is:

www.isode.com/company/wordpress/

Interworking with XMPP Clients and Servers lacking security label support.

Over the last few months we've been adding a lot of new functionality to our XMPP server, M-Link, and this has been reflected in an increased tempo of releases. The latest release focuses on improving interworking with XMPP clients and servers which do not support security labels, adding new features of interest mostly to our customers and evaluators in the Govt/Intell/Military markets:

1. Default Labels.
2. FLOT Labels.
3. Improved/simplified support for TransVerse.
4. Equivalent label support.

Default Labels

M-Link's support for security label functionality is well documented (see the whitepaper: Using Security Labels to Control Message Flow in XMPP Services). In this new release we add the concept of Default Labels, with the goal of supporting interworking with clients and servers that do not support labels within systems where security label support is required.

A Default Label can be configured for a Server, Peer, MUC room of Service (i.e. applied to one domain within a single server supporitng multiple IM domains).

FLOT (First Line of Text) Labels

This is the ability to insert a FLOT label at the start of any XMPP message. The text from the XEP-0258 display marking is used.  

This ensures that clients not capable of XEP-0258 (XEP-0258: Security Labels in XMPP) will see security labels, and will help with deployments in mixed environments.  

For local clients, this feature will be used automatically for clients that do not support XEP-0258 (or TransVerse) labels. This capability is enabled by default, but may be disabled.  It can also be explicitly configured for peers, which will help supporting systems that are not XEP-0258 capable. Where a message has an HTML part, this is removed, so that only the text option (with the label) is present.

In the screenshots below we show this in operation in a chat between two users, one using the Psi client (which has no label support) and one using a pre-release copy of Swift (which does support XEP-0258 labels).

  

 

Improved/simplified support for TransVerse

We have simplified and improved support for the TransVerse Client, which uses IC-ISM labels and its own XMPP encoding. We've tested with Transverse 1.5 and Transverse 2.0 Alpha.

The "TransVerse Map" configuration has gone, and configuration is driven from the SPIF and the server's label catalog.   For message delivery to TransVerse, M-Link will insert TransVerse Style labels using the XEP-0258 information, which Transverse will display, and look the same as XEP-0258 labels (colour and display string).

TransVerse supports label catalog discovery for MUC rooms only.  M-Link will respond to these discovery requests with a TransVerse compatible catalog, filtered appropriately to the requestor's clearance and other applicable clearances (e.g., the room's clearance).   When TransVerse sends a message with one of these labels, it will be treated the same as the corresponding XEP-0258 label and a XEP-0258 label will be inserted by M-Link.  In cases where TransVerse does not support label catalog discovery, including chat or through-MUC 1-to-1 chat, TransVerse will offer it's default catalog (e.g., the US labels UNCLASSIFIED and UNCLASSIFIED/FOUO).  These labels will not be generally recognized by M-Link.

Here is how Groupchat looks between TransVerse, Swift and Psi:

 

 

 

Equivalent label support

We've done some work on equivalent label support, and provided test data to help those interested in investigating and demonstrating this capability.

Note that this does NOT include label translation (e.g., replacement), which will be provided in a future release.

The key capability is that a policy can specify non-local labels as equivalent to local ones. This means that non-local labels (from peers or local clients) will be validated correctly. The sample data we provide with M-Link includes policy files (including variants with and without equivalents) and catalogs to set up the configuration shown in the diagram below.

 

 

The UK Demo policy is the one previously supplied, as is the NATO one. UK-NATO is a new policy, that includes (GENSER style) both UK and NATO labels, so that either can be used on the site (under appropriate clearance control). This can be useful for sites that wish to have users using both labels.  Note that this is a new policy with a new policy id.  Each of these policies has appropriate equivalents to the other policies.

We're happy to help anyone set up a configuration based on this.

Requirements for XMPP Digital Signatures (XEP-0274)

Digital signatures for XMPP messages are a desirable addition to the currently standardized peer to peer digital signatures (strong authentication based on PKI). Digital signatures on XMPP messages can enable:

• Message Origin Authentication
• End to end Content Integrity checks
• Binding of Security Labels to messages by Clients, MUC Rooms, and Gateways 

Previous attempts to standardize have not gained general acceptance, and have a number of problems. Ad hoc implementation efforts that we are aware of also have problems. 

Isode is working to enable a standard. XEP-0274 "Design Considerations for Digital Signatures in XMPP" has been developed primarily by Isode staff and has just been published. It looks at requirements and possible approaches to meeting these requirement. It looks particularly at approaches using the XMLDSIG XML digital signature standard, which we believe is the most promising direction.

Both requirements and technical solution to address these requirements are complex. We believe that wide participation will be crucial to develop a workable and widely adopted standard in this space.

Isode Partners with Zion Software to provide XMPP connectivity to legacy IM Networks

In Release R14.5 of Isode's M-Link XMPP Server, support has been added for XEP-0114 Jabber Component Protocol, which among other things can be used to provide a mechanism for connection of External Legacy IM Services. The JBuddy XMPP Gateway from Zion Software supports XEP-0114 and provides connectivity to AIM, ICQ, Windows Live/MSN and Yahoo Instant Messenger services. Isode's  M-Link XMPP server has been certified by Zion Software as a tested compatible XMPP server for use with their JBuddy XMPP Gateway.

HFIA Presentation

In a previous post we mentioned that Isode CEO, Steve Kille, was presenting at meeting of the High Frequency Industry Association (HFIA). Steve's presentation, given yesterday, is now available online.

Isode at High Frequency Industry Association (HFIA)

Isode CEO, Steve Kille, will be presenting at the next meeting of the HFIA in Munich on 14 September. 

The talk "Performance measurements of STANAG 5066 and Applications Running over STANAG 5066" follows a series of whitepapers published on the Isode website over the last couple of months looking at the performance of messaging protocols and applications over HF Radio:

STANAG 5066 Performance Measurements over HF Radio

This white paper sets out the results of measurements done by Isode of STANAG 5066 over military HF Modems and emulated HF Radio. These test show that good line utilization can be achieved (83-94 %) for speeds ranging from 75 bits/second to 9600 bits/second. To achieve this, care must be taken with how the application uses STANAG 5066.

Performance Measurements of Messaging Protocols over HF Radio

This white paper sets out and analyses the results of a measurements of various messaging protocols over HF Radio. HF Radio has unusual performance and reliability characteristics, which has led to specific application protocols being developed. This paper finds that three of the four protocols analysed perform well. It concludes with a discussion of the best choice of messaging protocol for various types of deployment.

Performance Measurements of Applications using IP over HF Radio

This paper sets out the results of measurements made when running applications and layer protocols to support applications over IP via HF Radio using STANAG 5066. The goal of this work was to get a quantitative measure of the performance impact of using applications running over IP over HF Radio in comparison with applications running directly over specialized HF Radio protocols. This paper concludes that the performance impact of using IP is massive, with small message latency increase from at typical value of 6-20 seconds using applications optimized for HF to a smallest measured value of 89 seconds when using IP.

Isode and Serco Partnership

We are pleased to announce that Serco recently became an Isode partner. Information can be found on the Serco Group Plc partner page on the Isode Website.

Isode at the 2nd International Conference on LDAP

The Second International LDAP Convention (LDAPCon2009) will be held in Portland, Oregon on September 20th and 21st.

Isode development engineer, Kurt Zeilenga, will be giving two talks at the conference:

• On Day 1 he'll be talking about Security Label based Authorization in Directory Services
• On Day 2 he'll be talking about Directory Standardization efforts

Kurt's talks will be an ideal chance for those interested in directory technologies to catch up with the latest developments (such as the Security Label authorization work being led by Isode).

New Partnership: Isode And Fine Point Technologies

We're pleased to announce a new partnership between Isode and Fine Point Technologies. By combining Fine Point's over-the-air (OTA) provision technologies and Isode's M-Box Gateway product, we're able to offer mobile service providers a complete moble email solution for their subscribers with minimal user and operator intervention.

A press release with some more information on this new partnership follows:

Isode And Fine Point Technologies Ireland To Offer Mobile Push Email Solution For Mobile Service Providers

'One Touch' is a secure, easy to activate, automatically provisioned push email solution for mobile service providers looking to provide efficient mobile email services to any user with a mobile phone.

--

Fine Point Technologies Ireland (a leading provider of mobile device detection, automatic device management & service provisioning software solutions) and Isode (the messaging and directory server software company) have joined forces to bring to market 'One Touch'.

By combining Finepoint’s Pervenio Activator over the air configuration system and Isode's M-Box Gateway, One Touch allows a vast range of mobile phone email clients to access new and legacy (POP) email accounts using the open IMAP-IDLE standard for email delivery.

One Touch is a complete solution for Mobile Service Providers (MSPs) who wish to provide high quality, robust, secure and efficient push email services to their end-users.

Ian Deakin, Chief Technology Officer of Fine Point Technologies Ireland, Inc.:

"As a result of our collaboration, we can provide an extremely powerful yet easy to use push mobile email solution for the widest range of mobile devices ensuring that customers can activate the service themselves rather than having to wait for intervention by a third party was important to ensuring a positive end-user experience."

Will Sheward, Isode VP Marketing:

"The marriage of our M-Box Gateway with Pervenio's activator service through integration work done at both of our companies has enabled us to put together a solution that addresses the needs of both MSPs and their end-users. The provision of efficient mobile email access to new or legacy email accounts with minimal intervention from the MSP is something the market needs and has been unable to find at a reasonable price from competitive companies."

MSPs wishing to experience One Touch from the perspective of their users and learn about the deployment and management of One Touch should contact Gerry Simone of (703-994-4418, gerry@simonecommunications.com) for further information.

About Isode

Isode is a leading supplier of highly scalable, high performance and robust messaging and directory server solutions. Isodes products are used in sectors where security, scaleability, reliability and excellent support are core requirements. Isode has commercial, Government, Military and Intelligence sector customers in over 30 countries.

About Fine Point Technologies Ireland

Fine Point Technologies Ireland is the former Pervenio Ltd,  a pioneering, world leading provider in Automatic Device management and Service Provisioning software solutions that enable MSP’s to stay better connected with their customers by detecting the mobile device instantly and configuring automatically the maximum service capabilities of each handset on their network. The company’s products are in service with more than 15 major networks globally, increasing revenues, enhancing profits and improving operational efficiencies for some of the world's leading mobile operators.

New Features in R14.4v1

Our usual approach to adding new features is to do so to coincide with major and minor releases. Update versions to a release will always be drop-in replacements of previous versions of the release, and generally only contain bug fixes.

We sometimes add new features where these are non-disruptive (e.g., add-ons at the periphery, rather than changes to our core server products), particularly early in the life of a release when we do not want to make customers wait for the next release to get a new feature.

We are adding nine new features to R14.4 in the R14.4v1 update version

1. Improved GUI Management in Sodium for Security Label and Security Clearances (more)
2. Security Label/Clearance/Policy tools (more)
3. Support for XEP-0237 (Roster Versioning) in M-Link (more)
4. Improved Sodium Sync operation for Sync to Active Directory (more)
5. Support of HSQLDB as Audit Database option (more)
6. Audit Database management service (more)
7. STANAG 5066 Console Updates (more)
8. X.400 Gateway API Extensions (more)
9. Enhancements to the Java X.400 Client API (more)

Improved GUI Management in Sodium for Security Label and Security Clearances

The 14.4v0 GUI capabilities for handling security labels and security clearances meant that in practice you are restricted to either very simple labels/clearances or you load pre-prepared labels/clearances from files (XML or ASN.1).   

We have added a Catalog mechanism, that enables simple GUI selection from a standard list.  For a simple security policy, the Catalog would simply be a list of all possible labels or clearances.  For a complex security policy, it would be a selection of labels or clearances appropriate for the deployment.

This Catalog mechanism has been added to Sodium. We will add it to other places in future releases (in particular to IMA for User Clearances, and XUXA for Labels). Sodium now has Catalog support define in templates for the following applications:

M-Link/M-Vault/Third Party Applications

• User Clearance (Security Clearance in a directory entry)

M-Vault

• Security Label as operational attribute in any entry
• DSA Clearance (to control data in the server)
• DSA Label (to control connected users)

M-Link

• Server (Domain) Clearance (to control messages switched)
• Server (Domain) Label (to control connected users)
• MUC Group Clearance (to control messages switched)
• MUC Group Label (to control group members)

Isode will provide sample Catalogs, along with the sample Security Policies included with  R14.4. This will enable easy setup of Security Label capabilities in our products.

Security Label/Clearance/Policy tools

We're including a number of command line tools in the release. We've been using these internally, and it has become clear that they will be useful to customers setting up systems using Security Labels. Tools include:

Label, Clearance and SPIF tools:

• format conversion (between supported ASN.1 and XML formats)
• descriptive dump

ACDF Tool

• Evaluates the ACDF (Access Control Decision Function) to check a label against a clearance under a specific policy

Security Label & Security Clearance builders

• Tools to help correctly build complex Security Labels and Clearances according to a Security Policy 

Catalog Builder

• Creates a complete (Label or Clearance) Catalog from a SPIF (Security Policy Information File)

Support for XEP-0237 (Roster Versioning) in M-Link

XEP-0237 "Roster Versioning" has been added to M-Link.  This specification, which is expected to become part of the core XMPP protocol at some stage, optimizes client connection by only providing an updated roster if there has been a change since the last connection. This is an important optimization for clients working over slow links.

XEP-0237 uses the same techniques to optimize network use as IMAP CONDSTORE RFC 4551  "IMAP Extension for Conditional STORE Operation or Quick Flag Changes Resynchronization" which is implemented by M-Box. Isode has been a major contributor to and editor of both of these specifications.

Improved Sodium Sync operation for Sync to Active Directory

We've made some changes to Sodium Sync to improve sync to Active Directory, and in particular added support for mapping X.400 OR Addresses into the forms required by AD/Exchange.

Support of HSQLDB as Audit Database option

We've added HSQLDB support as an alternative Audit Database option to Postgres.  HSQLDB is a simple Java JDBC database.   

One reason for doing this is to clearly demonstrate and test the database independence of our tools.

The second reason is to provide an easy demo setup. We are bundling HSQLDB with the Isode product set, which makes it easy to set up an Audit Database for demonstration and evaluation purposes. Our experience suggests that HSQLDB scaling limit as an Audit Database is around 40,000 records, which

means that it is unlikely to be suitable for production use.

Audit Database management service

We've added a way to manage removal of old records from the Audit Database. This is done by the AuditDB Management Daemon (which also takes on the functionality of the existing AuditDB Quarantine Management Daemon).  

STANAG 5066 Console Updates

We made some improvements to STANAG 5066 Console in order to do STANAG 5066 benchmarking, and have included these changes.  The benchmarking is described in the Isode Whitepaper "STANAG 5066 Performance Measurements over HF Radio".

X.400 Gateway API Extensions

We've extended our X.400 Gateway API to better expose the message content. This will be of interest to those handling content types other than IPM or P772, and in particular those needing to access the CMS layers of STANAG 4406 ed 2.

Enhancements to the Java X.400 Client API

The R14.4v0 Java Client API is implemented as a thin layer over the 'C' API, and provides a similar API. This is convenient for those using both APIs, but means that the Java API is quite low level and of a style that would be expected by a 'C' programmer, but does not take advantage of Java language features. We have added a higher level interface, which will be natural for Java developers, and should reduce development times for those building X.400 applications over our Java X.400 Client API.