M-Link 19.4 Limited Release

M-Link 19.4 provides a significant update for  M-Link User Server,  M-Link MU Server, M-Link MU Gateway and M-Link Edge products.   It does not provide M-Link IRC Gateway, which remains M-Link 17.0 only.

M-Link 19.4 Limited Release is provided ahead of the full M-Link 19.4 release. M-Link 19.4 Limited Release is fully supported by Isode for production deployment. There is one significant difference with a standard Isode release:

• Updates to M-Link 19.4 Limited Release will include additional functionality. This contrasts to standard Isode releases where updates are “bug fix only”. There will be a series of updates which will culminate in the full M-Link 19.4 release.

Goals
There are three reasons that this approach is being taken:

1. To provide a preview for those interested to look at the new capabilities of M-Link 19.4.
2. To enable production deployment of M-Link 19.4 ahead of full release for customers who do not need all of the features of the full M-Link 19.4 release. M-Link 19.4 limited release provides ample functionality for a baseline XMPP user service.
3. To enable customer review of what will be in M-Link 19.4 full release. The initial 19.4 release led to useful feedback.

Benefits

M-Link 19.4 User Server and M-Link 19.4 MU Server offer significant benefits over M-Link 17.0:

1. M-Link 19.4 is fully Web managed, and M-Link Console is no longer used. This is the most visible difference relative to M-Link 17.0. This enables management without installing anything on the management client.
2. Flexible link handling:
   1. Multiple links may be established with a peer. These links may be prioritized, so that for example a SATCOM link will be used by default with fall back to HF in the event of primary link failure.  Fall forward is also supported, so that the SATCOM link is monitored and traffic will revert when it becomes available again.
   2. Automatic closure of idle remote peer sessions after configurable period.
   3. Support for inbound only links, primarily to support Icon-Topo.
   4. “Whitespace pings” to X2X (XEP-0361) sessions to improve failover after connectivity failures.
3. The session monitoring improvements:
   1. Shows sessions of each type (C2S, S2S, X2X (XEP-0361), GCXP (M-Link Edge), and XEP-0365 (SLEP)) with information on direction and authentication
   2. Enable monitoring for selected sessions to show traffic, including ability to monitor session initialization.
   3. Statistics for sessions, including volume of data, and number of stanzas.
   4. Peer statistics, providing summary information and number of sessions for each peer.
   5. Statistics for the whole server, giving session information for the whole server.
4. Provide metrics on activity to enable us to feed them into a Prometheus database using the statsd protocol. Prometheus is a widely used time series database used to store metrics: https://prometheus.io/. Grafana is a graphing front end often used with Prometheus:  https://grafana.com/.  Grafana provides dashboards to present information.  Isode will make available sample Grafana dashboards on request to evaluators and customers.  Metrics that can be presented include:
   1. Stanza count and rate for each peer
   2. Number of bytes sent and received for each link
   3. Number of sessions (C2S; S2S; GCXP; X2X; and XEP-0365 (SLEP))
   4. Message queue size for peers – important for low bandwidth links
   5. Message latency for each peer – important for high latency links
5. Provides HTTP Upload (XEP-0363) that enables a client to upload a file to the M-Link server and then share using URL. This is supported by Swift 6.0 to provide file sharing.
6. Enhanced FMUC (XEP-0289 Federated MUC) capabilities
   19. Use of the fallback capabilities of M-Link 19.4 to provide improved resilience
   20. Improved detection of failed communication between links, using (lack of) XEP-0198 acknowledgements to determine link failure and sending regular pings so that failure is detected when there is no user traffic.
7. Improved Cluster Management, supporting clustering of data, configuration and archives.
8. Improved Archive Management, supporting searching, import/export, backup and pruning.
9. PDF/A archiving is provided by a command line tool, packaged separately, which connects to the M-Link archive server. PDF/A is a format suitable for long term archive of data.  PDF/A archive is required by NATO.

M-Link 19.4 (Limited Release) Update Plan

There have been a number of updates to M-Link 19.4. The current update provides all of the major features of M-Link 17.0 and most of the widely used minor features.

We may make incremental updates with some of the features listed below.

The key functional change will be the ability to upgrade from M-Link 17.0.

 The following minor enhancements are planned to be included:

• CSR Generation. Management of PKI identities and certificates in R19.4 is currently done with PEM files, which is pragmatic. Use of PKCS#10 Certificate Signing Requests is a more elegant approach that enables operational integration with deployed Certification Authorities.
• Certificate checking using CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol).
• Complete implementation of XEP-0163 Personal Eventing Protocol (PEP). This is mostly complete in the current 19.4 update.
• The current 19.4 update supports single administrator with password managed by M-Link. This will be extended to:
  • Option for multiple administrators
  • Option for administrators specified and authenticated by LDAP
  • Administrators with per-domain administration rights
• XEP-0198 Stream Management support for C2S (currently supported  in S2S and XEP-0361)
• XEP-0237 Roster versioning
• C2S SASL EXTERNAL to provide client strong authentication
• SASL GSSAPI support to enable client authentication using Windows SSO
• Provide transformations for C2S connections, for example to prevent negotiation of in-band bytestreams

Features post 19.4

After 19.4 Final Release is made, future releases will be provided on the normal Isode model of major and minor releases with updates as bug fix only.   Customer input on priorities for future releases is always welcome.

M-Link 17.0 User Server Features not in R19.4

This section sets out a number of 17.0 features that are not planned for R19.4.  The following capabilities are seen to have clear benefit and Isode expects to add them in a future release.

• XEP-0114 Jabber Component Protocol that allows use of third party components.
• XEP-0227 configuration support to facilitate server migration
• “Send Announcement” to broadcast information to all users
• Security Label and related configuration for individual MUC Rooms. In 19.4 this can be configured per MUC domain, so an equivalent capability can be obtained by using a MUC domain for each security setting required,
• XEP-0012 Last Activity
• Option to limit the number of concurrent sessions for a user
• XMPPS (port 5223) has clear security benefits. The 17.0 implementation has limited management which means that it is not generally useful in practice.
• XEP-0346 Form Discovery and Publishing (FDP) template editor.

The following capabilities are potentially desirable.  Customer feedback is sought.

• XEP-0346 Form Discovery and Publishing (FDP)
  • WebApp viewer. We believe this would be better done in a client (e.g., Swift).
  • Gateway Java app, which converted new FDP forms to text and submitted to MUC.
• Per-Domain Search Settings, so that users can be constrained as to which domains can be searched
• Internal Access Control Lists, for example to permit M-Link Administrators to edit user rosters.
• Generic PubSub administration

Features in M-Link 17.0 that are End of Life

There are a number of features provided in M-Link 17.0 that Isode has no current plans to provide going forward, either because they are provided by other mechanisms or they are not seen to add value. These are listed here primarily to validate that no customers need these functions.

• Schematron blocking rules
  • These have been replaced with XSLT transform rules
• IQ delegation that enables selected stanzas sent to users to be instead processed by a component
• XEP-50 user preferences
  • This ad-hoc allowed users to set preferences overriding server defaults to indicate which types of stanzas they wanted to store in offline storage and whether to auto-accept or auto-subscribe presence.
• Management of XEP-0191 block lists by XEP-0050 ad hoc
  • Management of block lists, where desired, is expected to be performed by XEP-0191
• XEP-114 Component permissions
• Pubsub presence, apart from that provided by PEP
• XEP-78 (non-SASL authentication)
  • This is obsolete
• Some internal APIs that are not longer needed
• Support for a security label protocol (reverse engineered by Isode) used in the obsolete CDCIE product
• Security Checklist
  • M-Link Console had a security checklist which checked the configuration to see if there was anything insecure
  • This does not make sense in context of the Web interface which aims to flag security issues in appropriate part of UI
• Conversion of file based archive to Wabac
  • M-Link Console had an option to “Convert and import file-based archive…” in the “Archive” menu
  • This was needed to support archive migration from older versions of M-Link
• Pubsub-based statistics. M-Link 17.0 recorded statistics using PubSub. M-Link 19.4 does this using Prometheus, which can be integrated with Grafana dashboards.
• XMPP-based group discovery – the ability to use XMPP discovery on an object and get a list of groups back.
• XML-file archives
  • This was a write-only archive format used by older versions of M-Link before introduction of the current archive database. M-Link 17.0 continued to support this option.