M-Link 19.4 Limited Release

M-Link 19.4 provides a very significant update and in particular provides the M-Link User Server product. It also provides M-Link MU Server, M-Link MU Gateway and M-Link Edge.   It does not provide M-Link IRC Gateway, which remains M-Link 17.0 only.

M-Link 19.4 Limited Release is provided ahead of the full M-Link 19.4 release. M-Link 19.4 Limited Release is fully supported by Isode for production deployment. There is one significant difference with a standard Isode release:

  • Updates to M-Link 19.4 Limited Release will include additional functionality. This contrasts to standard Isode releases where updates are “bug fix only”. There will be a series of updates which will culminate in the full M-Link 19.4 release.

Goals

There are three reasons that this approach is being taken:

  1. To provide a preview for those interested to look at the new capabilities of M-Link 19.4.
  2. To enable production deployment of M-Link 19.4 ahead of full release for customers who do not need all of the features of the full M-Link 19.4 release.  M-Link 19.4 limited release provides ample functionality for a baseline XMPP user service.
  3. To enable customer review of what will be in M-Link 19.4 full release. We are planning to not provide all M-Link 17.0 capabilities in M-Link 19.4 full release. A list is provided below of the current plan. Based on feedback, we may bring more functionality into M-Link 19.4 full release. There is a trade-off between functionality and shipping date, which we will review with customers.

 

Benefits

M-Link 19.4 User Server and M-Link 19.4 MU Server offer significant benefits over M-Link 17.0:

  • M-Link 19.4 is fully Web managed, and M-Link Console is no longer used. This is the most visible difference relative to M-Link 17.0.  This enables management without installing anything on the management client.  It is helpful for deployments also using Web management in M-Link  Edge  and M-Link  MU Gateway (using either 19.3 or 19.4 versions).
  • Flexible link handling, as provided previously in M-Link 19.3
  1. Multiple links may be established with a peer.  These links may be prioritized, so that for example a SATCOM link will be used by default with fall back to HF in the event of primary link failure.  Fall forward is also supported, so that the SATCOM link is monitored and traffic will revert when it becomes available again. 
  2. Automatic closure of idle remote peer sessions after configurable period.
  3. Support for inbound only links, primarily to support Icon-Topo.
  4. “Whitespace pings” to X2X (XEP-0361) sessions to improve failover after connectivity failures.
  • M-Link MU Server allows the HF Radio improvements of M-Link 19.3 MU Gateway to be used in a single server, rather than deploying M-Link 19.3 MU Gateway plus M-Link 17.0 User Server
  • The session monitoring improvements previously provided in M-Link 19.3
  1. Shows sessions of each type (S2S, X2X (XEP-0361), GCXP (M-Link Edge), and XEP-0365 (SLEP)) with information on direction and authentication
  2. Enable monitoring for selected sessions to show traffic, including ability to monitor session initialization.
  3. Statistics for sessions, including volume of data, and number of stanzas.
  4. Peer statistics, providing summary information and number of sessions for each peer.
  5. Statistics for the whole server, giving session information for the whole server.
  • Use of the capabilities previously provided in M-Link 19.3 to provide metrics on activity to enable us to feed them into a Prometheus database using the statsd protocol. Prometheus is a widely used time series database used to store metrics:  https://prometheus.io/. Grafana is a graphing front end often used with Prometheus:  https://grafana.com/.  Grafana provides dashboards to present information.  Isode will make available sample Grafana dashboards on request to evaluators and customers.  Metrics that can be presented include:
  1. Stanza count and rate for each peer
  2. Number of bytes sent and received for each link
  3. Number of sessions (C2S; S2S; GCXP; X2X; and XEP-0365 (SLEP))
  4. Message queue size for peers – important for low bandwidth links
  5. Message latency for each peer – important for high latency links
  • Provides HTTP Upload (XEP-0363) that enables a client to upload a file to the M-Link server and then share using URL.  This is supported by Swift 6.0 to provide file sharing.
  • Enhanced FMUC (XEP-0289 Federated MUC) capabilities
    • Use of the fallback capabilities of M-Link 19.4 to provide improved resilience
    • Improved detection of failed communication between links, using (lack of) XEP-0198 acknowledgements to determine link failure and sending regular pings so that failure is detected when there is no user traffic.

M-Link 19.4 (Limited Release) Update Plan

This section sets out the plan for providing updates to M-Link 19.4 (Limited Release)

The current release is Update 1, which added FMUC capabilities among other functionality. Please note that the update number is distinct from the release version number. The first software version of update 1 is “19.4v4”.

The following updates are planned:

Update 2: Archive Administration

The initial archive capability is fully functional. Administration adds a number of functions, including the ability to export, back up and truncate the archive. These capabilities are seen as important for operational deployment of archiving.

Update 3: CSR Generation

Management of PKI identities and certificates in R19.4 is done with PEM files, which is pragmatic.  Use of PKCS#10 Certificate Signing Requests is a more elegant approach that enables operational integration with deployed Certification Authorities.

Update 4: Clustering

Clustering is the largest piece of work and the most significant omission from the limited release. It is expected to take a number of months work to complete this, based on core work already done. 

Update 5: Miscellaneous

There are a number of smaller tasks that are seen as essential for R19.4 final release, which will likely be provided incrementally. If any are seen as high priority for the limited release, it would be possible to address prior to the clustering update.

  • Server-side XEP-0346 Form Discovery and Publishing (FDP). This will enable third-party clients to use FDP.
  • Certificate checking using CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol).
  • Complete implementation of XEP-0163 Personal Eventing Protocol (PEP). This is mostly complete in the initial limited release.
  • Administration. The limited release supports single administrator with password managed by M-Link.
    • Option for multiple administrators
    • Option for administrators specified and authenticated by LDAP
    • Administrators with per-domain administration rights
  • XEP-0198 Stream Management  support for C2S (limited release supports it in S2S and XEP-0361)
  • Web monitoring of C2S connections
  • XEP-0237 Roster versioning
  • C2S SASL EXTERNAL to provide client strong authentication
  • SASL GSSAPI support to enable client authentication using Windows SSO
  • Provide transformations for C2S connections, for example to prevent negotiation of in-band bytestreams

Update 6: Upgrade

To provide an upgrade from M-Link 17.0. This capability is best developed last.

Note that M-Link 19.4 limited release will automatically upgrade from M-Link 19.2/19.3 Edge and from M-Link 19.3 MU Gateway.

Items Under Consideration for M-Link 19.4 Final Release

There is a trade-off between functionality included and ship date. The following capabilities supported in in 17.0 are under consideration for inclusion in M-Link 19.4. We ask for customer review of these items.

Unless we get clear feedback requesting inclusion of these features, we will not include them in 19.4 and will consider them as desirable features for a subsequent release.

  • XEP-0114 Jabber Component Protocol that allows use of third party components.
  • Archiving PubSub events (on user and pubsub domains)
  • Configuring what to archive per domain (R17 supports: nothing, events only (create, destroy, join, etc), events and messages)
  • Providing a clean user interface for assigning MUC affiliations to groups, to simplify MUC rights administration. This can currently be achieved but the UI is limited
  • XEP-0227 configuration support to facilitate server migration
  • “Send Announcement” to broadcast information to all users
  • PDF/A archiving to provide a simple and stable long term archive

Features post 19.4

After 19.4 Final Release is made, future releases will be provided on the normal Isode model of major and minor releases with updates as bug fix only.

Customer feedback is requested to help us set priorities for these subsequent releases.

M-Link IRC Gateway

M-Link IRC gateway is the only M-Link product not provided in M-Link 19.4. M-Link 17.0 IRC Gateway works well as an independent product.

When we do a new version, we plan to provide important new functionality and not simply move the 17.0 functionality into a new release.

New Capabilities

The R19.4 User Server focus has been to deliver functionality equivalent to 17.0 on the R19.3 base. After 19.4 we are considering adding new features. Customers are invited to provide requirements and to comment on the priority of identified potential new capabilities set out here:

  • FMUC Clustering.  M-Link 19.4 (and 17.0) FMUC nodes cannot be clustered.
  • FMUC use with M-Link IRC Gateway. Currently, IRC cannot be used with FMUC. This would be helpful for IRC deployment.
  • STANAG 4774/4778 Confidentiality Labels.
  • RFC 7395 Websocket support as an alternative to BOSH.
  • OAuth (RFC 6749) support
  • Support of PKCS#11 Hardware Security Modules

M-Link 17.0 User Server Features not in R19.4

This section sets out a number of 17.0 features that are not planned for R19.4. If there is a clear customer requirement, we could include in R19.4. We are interested in customer input on priority of these features relative to each other and to other potential work.

The following capabilities are seen to have clear benefit and Isode expects to add them.

  • Security Label and related configuration for individual MUC Rooms.  In 19.4 this can be configured per MUC domain, so an equivalent capability can be obtained by using a MUC domain for each security setting required,
  • XEP-0012 Last Activity
  • Option to limit the number of concurrent sessions for a user
  • XMPPS (port 5223) has clear security benefits. The 17.0 implementation has limited management which means that it is not generally useful in practice.

The following capabilities are potentially desirable.  Customer feedback is sought.

  • XEP-0346 Form Discovery and Publishing (FDP)
    • WebApp viewer.  We believe this would be better done in a client (e.g., Swift).
    • Gateway Java app, which converted new FDP forms to text and submitted to MUC.
    • Administration of FDP data on Server.   
  • Per-Domain Search Settings, so that users can be constrained as to which domains can be searched
  • Internal Access Control Lists, for example to permit M-Link Administrators to edit user rosters.
  • Generic PubSub administration

Features in M-Link 17.0 that Isode plans to drop

There are a number of features provided in M-Link 17.0 that Isode has no current plans to provide going forward, either because they are provided by other mechanisms or they are not seen to add value. These are listed here  primarily to validate that no customers need these functions.

  • Schematron blocking rules
    • These have been replaced with XSLT transform rules
  • IQ delegation that enables selected stanzas sent to users to be instead processed by a component
  • XEP-50 user preferences
    • This ad-hoc allowed users to set preferences overriding server defaults to indicate which types of stanzas they wanted to store in offline storage and whether to auto-accept or auto-subscribe presence.
  • Management of XEP-0191 block lists by XEP-0050 ad hoc
    • Management of block lists, where desired, is expected to be performed by XEP-0191
  • XEP-114 Component permissions
  • Pubsub presence, apart from that provided by PEP
  • XEP-78 (non-SASL authentication)
    • This is obsolete
  • Some internal APIs that are not longer needed
  • Support for a security label protocol (reverse engineered by Isode) used in the obsolete CDCIE product
  • Security Checklist
    • M-Link Console had a security checklist which checked the configuration to see if there was anything insecure
    • This does not make sense in context of the Web interface which aims to flag security issues in appropriate part of UI
  • Conversion of file based archive to Wabac
    • M-Link Console had an option to “Convert and import file-based archive…” in the “Archive” menu
    • This was needed to support archive migration from older versions of M-Link
  • Pubsub-based statistics. M-Link 17.0 recorded statistics using PubSub. M-Link 19.4 does this using Prometheus, which can be integrated with Grafana dashboards.
  • XMPP-based group discovery – the ability to use XMPP discovery on an object  and get a list of groups back.
  • XML-file archives
    • This was a write-only archive format used by older versions of M-Link before introduction of the current archive database. M-Link 17.0 continued to support this option.

Adding a Security Policy to M-Link

We have two small changes to our evaluation guide series to announce (with many more coming soon).

Our core XMPP Messaging Evaluation Guide, using our M-Link XMPP server and M-Vault LDAP directory, now includes a section on adding a Security Policy to your XMPP service. In this new section we show you how to add a the policy to your service and clearances to your users. You can additionally apply label based controls to multi-user chat, domains and peer services (all of which and more is covered in the M-Link Admin Guide).

The Security Policy we use in the evaluation guide is one of the demonstration policies we ship with M-Link but, if you want to create your own, contact us about evaluating our SPIF Editor. SPIF (Security Policy Information File) is a file representation of a Security Policy, in other words the definition of which labels are valid and how to check them against clearances.

R16.3: Multi-Master Directory, XMPP Archive/Search & ACP127 support

We’re pleased to announce the availability of Isode’s latest release, R16.3, which can be downloaded now from our website. R16.3 is a major Isode release which adds new capabilities across the entire Isode product range, including:

M-Vault

We’ve introduced a multi-master capability to M-Vault, complementing the single-master approach to replication defined in the X.500 protocols around which M-Vault was developed. M-Vault is the first directory to offer both multi-master and X.500.

M-Link

M-Link gains a new Archive Server for archive of all messages (including 1:1 chat, MUC and PubSub). XMPP clients can access archives using Message Archive Management (MAM) as defined in XEP-0313. M-Link also gains three new web applications:

  1. Message Archive Management, allowing browser-based access to information in the archive.
  2. Statistics, a lightweight monitoring alternative to the M-Link Console GUI.
  3. Forms Discovery and Publishing, for end-user publishing and display of FDP forms.

M-Link Statistics Web App
M-Link Statistics Web App

M-Switch

We’ve added gateway support for text based organisational message protocols, which we’re collectively describing as ACP127. The first release of this capability supports ACP127 and DOI 103S, a popular US variant, and enables conversion with STANAG 4406 (compliant to STANAG 4406 Annex D) and SMTP (following the MMHS over SMTP extensions).

In addition we’ve made extensive improvements to MConsole and M-Link Console to support the new M-Switch and M-Link family capabilities. For a full run-down of new capabilities in R16.3, please see the Product Release page. We’ll be publishing further blog posts over the coming weeks focusing on some of the new R16.3 capabilities.

M-Link XMPP/IRC Gateway

A new whitepaper on the Isode website (Interconnecting XMPP and IRC) shows how Isode’s M-Link XMPP Server can be connected to and used in conjunction with chat services using IRC (Internet Relay Chat) in a range of deployment scenarios.

In order to help our customers and evaluators establish connections between XMPP Multi-User Chat (MUC) rooms and IRC channels, without downgrading security for XMPP users with XMPP traffic we’ve published a new evaluation guide.

New “Military forms using XMPP” whitepaper and access to our Military forms Demo

Forms are important for military operations, and there is often a need to handle forms quickly and share with a large number of users, such as Medical Evacuation (MEDEVAC) alerts.

XMPP based open standard instant messaging is widely used by military organisations and is a sensible framework for sharing forms. Our new whitepaper [Military Forms using XMPP], published on the Isode website today, looks at the requirements for military forms and how the XEP-0346 “Forms Display and Publishing” (FDP) can be used to provide real time military forms. It looks at how capabilities provided by M-Link support military forms using FDP, and how gateways can enable integration with other services. FDP is supported in the most recent R16.2 release along with FDP Management in M-Link Console.

Isode support to Boeing and NCI Agency at Unified Vision 2014

Over the last couple of years we’ve been conducting both ground and flight trials with a number of military aircraft operators to look at addressing the problems of text chat over constrained links (high-latency, unreliable connection, low-bandwidth).

Text chat has become a vital capability for the modern warfighter but most modern text chat deployments have significant problems, both architectural and functional, in the constrained link environment.

Addressing these problems has been a high priority for our development team and we believe that our M-Link XMPP server product now leads the field in this environment.

We continue to participate in trials whenever we’re given the opportunity, which is why we were very happy to support Boeing and NATO’s NCI Agency in the recent Unified Vision 2014 exercise, the largest ever test of NATO’s intelligence, surveillance and reconnaissance (ISR) capabilities.

M-Link capabilities, including Federated Multi-User Chat and submission of Tactical Reports (TACREPS) using dynamic chat forms, were extensively tested over a 10 day period. We’re very happy with the feedback and results we got from the tests, which will enable us to make even more improvements to M-Link’s performance.

The results from Unified Vision will be used as the baseline for implementation of a Joint ISR Initial Operational Capability, in 2016, for the NATO Response Force.