M-Switch X.400 is a high performance, highly flexible and robust X.400 Message Transfer Agent (MTA). This page describes military capabilities and conformance of M-Switch X.400. A general description of Isode's products for military messaging solutions can be found on the Military Messaging Solutions Page.
MMHS Standards & M-Switch X.400
The primary standards for Military Message Handling Systems (MMHS) are ACP 123 and STANAG 4406, which are technically aligned. Isode's primary technical reference for MMHS is STANAG 4406 Edition 2, which from an MTA perspective is compatible with the two older references. These specifications are based on X.400.
This document relates to MMHS features in M-Switch X.400 (MTA) that are defined by these documents. The majority of the MMHS MTA features are taken from X.400, and most features needed are standard M-Switch X.400 capabilities. Much of STANAG 4406 relates to message content, and does not directly affect MTA conformance. The MTA has to carry the data.
MTA conformance to STANAG 4406 primarily relates to supporting the required features of X.400. The parts of STANAG 4406 are relevant to M-Switch are:
- Annexe A. This defines core MTA behaviour, and military extensions to X.400. M-Switch X.400 supports all MTA features defined.
- Annexe B. This describes security capabilities, in conjunction with the STANAG 4631 profile. Although this is an end to end capability, it is supported by M-Switch in conjunction with ACP145 Gateway Capabilities described below.
- Annexe C. This sets out in detail the features of X.400 required. M-Switch X.400 conforms to the MTA parts of this annexe, for both X400 P1 and X.400 P3.
- Annexe E. This covers tactical messaging. It is implemented by M-Switch X.400 and described in more detail below.
- Annexe G. This gives a profiles of Annexe B, which is backwards compatible with an older version of security. M-Switch supports this profile.
- Annexe H. This describes security label support. M-Switch supports this both with Annexe B and X.411 security labels.
STANAG 4406 defines one Message Transport feature, which is to extend the X.400 three level message priority (low; medium; high) to six military levels (deferred; routine; immediate; priority; flash; override). This is supported by M-Switch X.400. Isode management GUIs can all display message priority using the military values.
M-Switch X.400 may be controlled using MConsole to limit message processing by priority, across the whole switch or for selected channels. This control may be used in support of MINIMIZE condition.
M-Switch X.400 allows permanent connections to be scheduled for selected priorities, and can also control setting of the DSCP (Differentiated Service Code Point) values for different connections, to enable message traffic differentiation according to DiffServ (RFC 2474 and RFC 2475).
STANAG 4406 Content Support
Although STANAG 4406 does not require an MTA to be able to interpret message content, there is benefit in being able to do so. M-Switch can interpret the P772 message format, which enables the following services from M-Switch X.400 that require interpretation of the message content:
- Virus Checking.
- Message Content Checking
- Message Header Transformation
M-Switch supports all of the STANAG 4406 header extensions to X.400 and the extended body parts, including those used in support of ACP127 mappings. The ADatP-3 body part, used to carry military MTF (Message Text Format) is supported, including MIXER mappings.
M-Switch enables the conversion of standard X.400 to P772. This will correctly set mandatory and conditional P772 fields (Authorization Time, Primary Precedence, Copy Precedence) and has a configurable mapping from X.400 message priority to STANAG 4406 Grade of Delivery.
ACP145 and STANAG 4406 Security
STANAG 4406 defines message security mechanisms based on CMS (Cryptographic Message Syntax), which is also used in S/MIME. M-Switch supports the digital signature and security label mechanisms. In particular, M-Switch can sign a message and add a security label, and can verify and optionally remove message signatures. This enables MTA to MTA use of message signature.
This message signing and verification capability can be used to provide an ACP145 gateway, described in our whitepaper [ACP145: Isode Support of International MMHS Gateways].
STANAG 4406 Encryption is supported by M-Switch Encryption, which is a capability that may be added to M-Switch
M-Switch can handle the following X.400 Security Label locations and formats:
- X.411 Envelope Security Labels
- STANAG 4406 Annexe B (CMS) Security Labels
- First Line of Text (FLOT) labels (display markings)
M-Switch can interpret all of these formats from inbound messages. For outbound messages a default label can be added, or a label mapped from the inbound message. The outbound message can use a different label format to the inbound.
As well as changing the label encoding (e.g., from X.411 to STANAG 4406), M-Switch can also map label policy and associated format using label equivalences (e.g., to map from NATO to UK). Label format can also be mapped between ESS and X.411.
M-Switch can apply access control based on message label, with controls based on security clearance of the message recipient or the channel/MTA to which a message is sent.
For more information see [Security Label Capabilities in M-Switch].
Mapping of STANAG 4406 Headers with SMTP
M-Switch has support for STANAG 4406 Headings. It handles MMHS headers in SMTP according to RFC 6477 “Registration of Military Message Handling System (MMHS) header fields for use in Internet Mail”. A high level description is provided in the whitepaper [Military Messaging (MMHS) over SMTP]. Two capabilities are provided:
- Mapping between the MMHS over SMTP headers and STANAG 4406 Headers
- Assigning MTS Grade of Delivery and internal M-Switch Priority according to the MMHS MMHS-Primary-Precedence: header.
Gateway STANAG 4406 with ACP127
M-Switch provides support for ACP127 and related protocols, and gateway to STANAG 4406 following STANAG 4406 Annex D. This is described on the M-Switch ACP127 page.
Satellite and HF Radio Networks
Military Messages often need to be transferred over low bandwidth networks such as HF radio, Satellite and other "constrained communication channels". The key military specifications which deal with such a messaging environment are the CCEB (Combined Communications-Electronics Board – AU, CA, NZ, US, UK) developed ACP 142 and NATO's STANAG 4406 Annexe E, and STANAG 5066.
An Isode white paper [Military Messaging over HF Radio and Satellite using STANAG 4406 Annex E] explains this technology, describes deployment scenarios, and shows the complete Isode messaging solution for this environment, including directory configuration and management GUIs.
The above diagram shows how this functionality fits into M-Switch X.400. Further details are given in the whitepaper [The Architecture of Isode's STANAG 4406 Annex E Solution]. Key features of Isode's solution:
- Full Directory based configuration.
- Integrated GUI management, giving a single view of messaging and ACP 142 queues.
- Support of STANAG 5066 for operation over HF Radio.
- Integration with Internet Messaging over the same ACP 142 queue.
- Support of Connection Oriented ACP 142, to optimize for transfers over point to point networks.
- GUI STANAG 5066 Console to help configuration and management of STANAG 5066 deployments, described here.
Further information on operation can be found in the M-Switch product description for constrained networks. This also includes references to a number of Isode whitepapers.
- ACP 123 (B), "Common Messaging Strategy and Procedures", May 2009. ACPs (Allied Communications Publications) are issued by the CCEB (Combined Communications Electronics Board).
- STANAG 4406, Edition 1, Version 3. "Military Message Handling System", March 1999. STANAG documents are NATO standardization agreements.
- STANAG 4406, Edition 2. "Military Message Handling System", March 2005
- Annex A: "Military Message Handling System Extensions"
- Annex B: "Interoperability of Secure MMHS"
- Annex C: "Alpha Profile Set"
- Annex D: "MMHS APS/ACP127 Gateway"
- Annex E: "Tactical MMHS Protocol and Profile Solution"
- Annex G: "Compatibility with PCT-based MMHS Security"
- Annex H: "NATO Security Label Guidelines for MMHS"
- STANAG 4631 "PROFILE FOR THE USE OF THE CRYPTOGRAPHIC MESSAGE SYNTAX (CMS) AND ENHANCED SECURITY SERVICES (ESS) FOR S/MIME"
- RFC 5652 Cryptographic Message Syntax (CMS), R. Housley, September 2009
- ACP 142a, Version 1.0, "P_MUL - A PROTOCOL FOR RELIABLE MULTICAST MESSAGING IN BANDWIDTH CONSTRAINED AND DELAYED ACKNOWLEDGEMENT (EMCON) ENVIRONMENTS". October 2008.
- STANAG 5506 Edition 1 Amendment 1- "Profile for High Frequency (HF) Radio Data Communications", October 2005.
- STANAG 5506 Edition 2. "Profile for High Frequency (HF) Radio Data Communications", December 2008.
- RFC 6477. "Registration of Military Message Handling System (MMHS) Header Fields for Use in Internet Mail", A. Melnikov, G. Lunt, Jan 2012
The core of these specifications is use of the ITU X.400 Messaging Standards as a framework for MMHS. The end to end message transfer infrastructure defined by these documents is closely based on the core X.400 specifications with some changes and constraints for the MMHS environment, in particular relating to support of formal messaging, security, and low bandwidth networks.