X.400 Military Messaging

STANAG 4406 is the NATO standard for Military Messaging based on X.400. STANAG 4406 defines a number of functional and security features to support formal military messaging. It is particularly important for High Grade Messaging, where features of X.400 to support high reliability are used.

Two of the primary standards for Military Message Handling Systems (MMHS) are ACP 123 and STANAG 4406, which are technically aligned. Isode's primary technical reference for MMHS is STANAG 4406 Edition 2, which from an MTA perspective is compatible with the two older references. These specifications are based on X.400.

This page describes the STANAG 4406/ACP 123 features in M-Switch X.400 (and M-Switch MIXER) that are defined by these documents (the majority of these MMHS features are taken from X.400), and most features needed are standard M-Switch X.400 capabilities. Much of STANAG 4406 relates to message content, and does not directly affect conformance.

Conformance to STANAG 4406 primarily relates to supporting the required features of X.400. The relevant parts of STANAG 4406, supported by Isode products, are:

Annexe A. This defines core MTA behaviour, and military extensions to X.400.
Annexe B. This describes security capabilities, in conjunction with the STANAG 4631 profile.
Annexe C. This sets out in detail the features of X.400 required. Isode products conform to the MTA parts of this annexe, for both X.400 P1 and X.400 P3.
Annexe G. This gives a profile of Annexe B, which is backwards compatible with an older version of security.
Annexe H. This describes security label support. Isode supports this both with Annexe B and X.411 security labels.

In addition, the M-Switch Products for Constrained Networks support Annex E, covering tactical messaging in constrained network environments.

Priority

STANAG 4406 defines one Message Transport feature, which is to extend the X.400 three level message priority (low; medium; high) to six military levels (deferred; routine; immediate; priority; flash; override). This is supported by M-Switch X.400. Isode management GUIs can all display message priority using the military values.

M-Switch X.400 may be controlled using MConsole to limit message processing by priority, across the whole switch or for selected channels. This control may be used in support of MINIMIZE condition.

M-Switch X.400 allows permanent connections to be scheduled for selected priorities, and can also control setting of the DSCP (Differentiated Service Code Point) values for different connections, to enable message traffic differentiation according to DiffServ (RFC 2474 and RFC 2475).

STANAG 4406 Content Support

Although STANAG 4406 does not require an MTA to be able to interpret message content, there is benefit in being able to do so. M-Switch can interpret the P772 message format, which enables the following services from M-Switch X.400 that require interpretation of the message content:

Virus Checking.
Message Content Checking
Message Header Transformation

Support for all of the STANAG 4406 header extensions to X.400 and the extended body parts is provided, including those used in support of ACP127 mappings. The ADatP-3 body part, used to carry military MTF (Message Text Format) is supported, including MIXER mappings.

P772 Upgrade

M-Switch X.400 enables the conversion of standard X.400 to P772. This will correctly set mandatory and conditional P772 fields (Authorization Time, Primary Precedence, Copy Precedence) and has a configurable mapping from X.400 message priority to STANAG 4406 Grade of Delivery.

STANAG 4406 Security

STANAG 4406 defines message security mechanisms based on CMS (Cryptographic Message Syntax), which is also used in S/MIME. M-Switch X.400 supports these digital signature and security label mechanisms. In particular, M-Switch can sign a message and add a security label, and can verify and optionally remove message signatures. This enables MTA to MTA use of message signature. This message signing and verification capability can be used by M-Switch MIXER to provide the messaging component of an ACP145 gateway.

STANAG 4406 Encryption is supported by M-Switch Encryption, which is a capability that may be added to all variations of M-Switch.

Security Labels

M-Switch X.400 can handle the following X.400 Security Label locations and formats:

X.411 Envelope Security Labels
STANAG 4406 Annexe B (CMS) Security Labels
First Line of Text (FLOT) labels (display markings)

All of these formats can be interpreted from inbound messages. For outbound messages a default label can be added, or a label mapped from the inbound message. The outbound message can use a different label format to the inbound.

As well as changing the label encoding (e.g., from X.411 to STANAG 4406), label policies and associated formats can be mapped using label equivalences (e.g., to map from NATO to UK). Label format can also be mapped between ESS and X.411.

Access control can be applied based on message label, with controls based on security clearance of the message recipient or the channel/MTA to which a message is sent. For more information see [Security Label Capabilities in M-Switch].

Mapping of STANAG 4406 Headers with SMTP

M-Switch X.400 has support for STANAG 4406 Headings. M-Switch SMTP handles MMHS headers in SMTP according to RFC 6477 “Registration of Military Message Handling System (MMHS) header fields for use in Internet Mail”, see the M-Switch SMTP page for more details. These two capabilities, combined in M-Switch MIXER allow for:

Mapping between the MMHS over SMTP headers and STANAG 4406 Headers
Assigning MTS Grade of Delivery and internal M-Switch Priority according to the MMHS MMHS-Primary-Precedence: header.

Gateway to ACP127

An add-on, available for all M-Switch products, provides support for ACP127 and related protocols, alloiwng for a gateway to STANAG 4406 following STANAG 4406 Annex D. This is described on the M-Switch ACP127 page.