Medium Grade Features For Military Messaging

Transcription

1 Medium Grade Features For Military Messaging Christopher D. Bonatti IECA, Inc Turkey Foot Road Darnestown, MD Abstract Two grades of messaging service have evolved independently in two different communities. The military messaging community has evolved an expectation of a high grade of messaging functionality. In contrast, the Internet messaging community has long provided a low grade of messaging functionality in keeping with the Internet s simple and best effort paradigms. Commercial use of the Internet and military reliance on commercial off the shelf (COTS) products are forcing both communities to evolve to a common level of service the so called medium grade messaging. Standards bodies and industry fora have been working, often disjointedly, for several years to elaborate definitions of medium grade messaging features. This paper attempts to capture and refine a unified set of functional definitions for medium grade messaging drawing from a variety of sources. I INTRODUCTION Military messaging has evolved over many decades to establish expectations for a high grade of messaging functionality. This is reflected today in the level of service described in Allied Communications Publication (ACP) 123 [1] for International Telecommunications Union (ITU) Telecommunications Standardization Sector (ITU-T) X.400 series of recommendations [2]. The Simple Mail Transfer Protocol (SMTP), which is used widely on the Internet, has long provided a low grade of messaging functionality in keeping with the Internet s simple and best effort paradigms. Commercial electronic mail systems now embrace Internet mail, but are also striving to provide a higher level of messaging functionality to its users; a so called medium grade of messaging services. Meanwhile, military messaging systems are under pressure to reduce functionality and admit commercial off the shelf (COTS) products. These factors are forcing both communities to evolve to a common level of service, described herein as medium grade messaging. Standards bodies and consortia have both attempted to direct the drive to medium grade messaging by defining its requirements. The International Telecommunications Union (ITU) Telecommunications Standardization Sector (ITU-T) and the International Organization for Standardization (ISO) have amended the X.400 series of recommendations [2 and 3] with additional functionality to provide what they term Business Class Messaging (BCM) [4 through 7]. The Electronic Mail Association (EMA) developed a Business Quality Messaging (BQM) Functional Specification [8]. More recently, the U.S. Department of Defense (DoD) is developing a strategy and profile for Medium Grade Messaging (MGM) [9 and 10]. While all of these initiatives have their differences, a core set of requirements for what makes a messaging system medium grade appear to be emerging. II MODEL AND CRITERIA The various standards bodies and consortia that have attempted to define possible medium grade messaging features have varied in their results, in part because of differences in their approach and scope. Some studies, such as the effort, have attempted to model messaging from the very concrete perspective of application programming interfaces (APIs). Others, such as the effort, have taken a more generic service-oriented approach. In order to bridge these diverse different viewpoints, it is necessary to establish a uniform model and set of criteria for identifying possible business class features. For simplicity, this paper asserts a common definition of both the messaging model and the scope of a medium grade feature. GENERIC MESSAGING MODEL The messaging model that is assumed for the purposes of this discussion is necessarily simple. Fig. 1 depicts the model and its relationship to existing models. The messaging model includes a generic message exchange service whose properties are assumed to be broadly similar to COTS suites of SMTP or X.400 products. The functionality of the exchange service Services Provided Human User Services Provided Originating Submission Transport Layer Network/Internet Layer Data Link/Network Layer Physical Layer Virtual Association (Peer Protocol) Services Provided Network Service Service Transport Layer Network/Internet Layer Data Link/Network Layer Physical Layer Retrieval Recipient s Fig. 1. A generic messaging model is helpful in avoiding debates about underlying technology. Page 1

2 subsumes that of message store (MS), distribution list (DL), translation gateways, and other common features of messaging systems. It is intended to collect all of the functions of the messaging service provider within the model. Further refinement of the exchange service is not possible without becoming technology-specific. ISO BCM DoD MGM The messaging model also includes user agents (s), which act on behalf of the human user to submit and take delivery of messages. The is the focus for all content-oriented services that are provided on an originator-to-recipient basis. Both the message exchange service and the s operate as application layer entities, and provide services to the human user. Security services may apply equally throughout the messaging model. CRITERIA FOR MEDIUM GRADE FEATURES In the context of this paper, a feature is an element of protocol, service or procedure that results in some quantifiable service being provided to either the originator or recipient(s) of messages. In evaluating potential features for a medium grade messaging service, the following prioritized criteria were used to assess the overall merit of each feature. Good MGM features should: Be independent of particular implementation strategy or protocols; Apply to a broad community of users; and Not be provided by common configurations of COTS message handling systems. Ideally, some commonality was also sought among different medium grade initiatives (e.g.,, ISO BCM). However, in some cases, features failing to meet this criterion were included based on strengths in other areas. Fig. 2 illustrates the ideal relationship between the different medium grade initiatives and the features in this paper. III DESCRIPTION OF COMMON FEATURES Several medium grade messaging features stand out as obvious deficiencies in the existing state of the industry, while other features are more esoteric but provide excellent benefits to the user for implementation costs that are quite low. Most of the features from the former category apply to the message exchange service, while most of the latter are instantiated only as additional EMA BQM Features identified as common in this paper. Fig. 2. A Venn diagram shows the approximate relationship between the various medium grade definitions and the set of common features. fields in the message content. Table 1 summarizes the set of features discussed in this section, and lists their respective types and origins. Table. 1. The common medium grade features originate from a variety of specifications. Feature Name Type Origin(s) Transaction-style Processing for Reliability Delivery and Nondelivery Notifications Receipt Notifications Delivery Priority Maximum Lifetime Distribution List Expansion DL Exempted Recipients ACP 123 ACP 123 ACP 123 Access Control Security Page 2

3 Feature Name Type Origin(s) Confidentiality Security Integrity Security Non-repudiation of Origin Non-repudiation of Receipt Security Labeling Globally Unique Identifier Security Security Security Content Precedence Content Obsoleting Content Distribution Codes Authorization Time Manual Handling Instructions Information Category Originator Reference Other Recipients Circulation List Recipients Content MESSAGE EXCHANGE SERVICE FEATURES A robust message exchange service is critical to any medium grade messaging product or service. Necessarily features include high reliability, delivery and non-delivery notifications, message delivery priority, receipt notifications, message delivery priority, maximum message lifetime, distribution list (DL) expansion, and DL exempted recipients. Transaction-style Processing for Reliability Medium grade exchange services should be implemented so as to ensure reliability of message submission, transfer and delivery. A transactional style of processing must be adopted to provide an acceptable level of reliability in a distributed system. For messaging protocol engines, this constitutes design of message transfer agents (MTAs) and user agents (s) to reach a stable and recoverable state of message processing (e.g., logged into the in-queue and saved to non-volatile storage) before acknowledging a completion of any message transfer. Other factors such as graceful recovery from a systems failure also need to be considered. Delivery and Non-delivery Notifications Notifying the originator when a message cannot be delivered to its intended recipients is a basic feature of nearly all messaging systems. Notification that a successful delivery has taken place is also very important in many business scenarios, but is only now beginning to be widely supported. Delivery notifications are important because they often constitute a report of the delivery from a neutral third party. They also provide an indication of when a particular message reached the recipient company or organization regardless of how quickly that company may have processed the information. In business processes that involve submission deadlines, this type of information can be quite valuable to the originator. Receipt Notifications Receipt notifications provide a positive confirmation that the has processed the message. What constitutes processing varies widely, but usually entails opening a message and may even entail manually confirming reading and understanding the message. This capability is crucial in business scenarios in which hand-off of responsibility is required. Receipt notifications are usually generated by the recipient s, but are part of the message exchange functions. Delivery Priority A prioritized message exchange service is important for optimizing resource utilization for scenarios in which: a) The cost of transmission is high, or; b) The available transmission resources are saturated. Both of these situations are more common than is generally realized particularly in the small business sector. Prioritized message exchange allows urgent messages to be expedited by MTAs (causing the urgent messages to be sent before less urgent traffic) perhaps causing an intermittent network connection to be opened ahead of schedule. Conversely, this feature allows more aggressive cost control for a company s Page 3

4 overall messaging system. This is because the high level of service required for urgent messages need not be maintained for the bulk of the message traffic. Maximum Lifetime Many types of information exchanged using message handling are perishable. Services that allow the originator to provide an indication of this perishability, in the form of an expiry time, reduce transfer costs and adverse impacts on recipients. Distribution List Expansion Distribution lists (DLs) go by many names in the messaging industry depending on their exact characteristics and implementation. Sometimes called address lists (ALs), mail lists (MLs), or merely mail exploders; this ability to support sending messages to a centrally managed list of recipients is a critical medium grade messaging feature. DLs are used to support the dissemination of information to teams and business units of all sizes, and to support on line discussion in distributed fora. DL Exempted Recipients Some messaging systems enable the originator to specify particular recipients that should be omitted from the set of recipients resulting from DLs. This capability is quite useful in circumstances where the business process requires a small number of recipients to be excluded from a widespread distribution. Examples include collection of personnel performance appraisal inputs, or exclusion of traveling users from large file distributions. Support of this feature is not yet widespread, and is thus a key product discriminator. SECURITY FEATURES Protection of message traffic with security services is increasingly important to any medium grade messaging product or service. Necessarily features include access control, message confidentiality, message integrity, non-repudiation of origin, non-repudiation of delivery, message security labeling, and message sequence integrity. Access Control Control of access to the messaging infrastructure has become a more appreciated issue in recent years. Recent increases in theft of service, denial of service attacks, and anonymous Internet junk mail (i.e., spam ) have increased awareness of this deficiency in many messaging systems. Countermeasures recently deployed against these threats include submission control based on originating network address and restriction of transfer only operations on many MTAs. Stronger means are also possible based on cryptographic authentication mechanisms, but these are not yet broadly supported by industry. Confidentiality Services that prevent the disclosure of the content of a message to anyone other than the authorized recipients are a vital part of the messaging security requirement for medium grade messaging. Business processes that involve personal, proprietary or classified information cannot be safely conducted over messaging without this service. confidentiality is usually provided by encryption supported by protected exchange of a onetime shared symmetric key. The key exchange is usually performed within the messaging protocols. Integrity Basic message integrity is an essential requirement of the transfer service, but protection against deliberate tampering or modification enters the realm of security. This service is necessary in any medium grade messaging product or service. integrity is usually provided by use of a digital signature over the message, but may also be provided by application of secure hash or other encryption functions. Non-repudiation of Origin Non-repudiation of origin is the capability for the recipient to be able to demonstrate to a third party that the originator of a message is actually who they claim to be. Business processes that involve authorized approval cannot be safely conducted over messaging without this service. Non-repudiation of origin is usually provided by use of a digital signature over the message. Non-repudiation of Receipt Non-repudiation of receipt is the capability for the originator to be able to demonstrate to a third party that the intended recipient of a message has actually received it, and is who they claim to be. Nonrepudiation of receipt is usually provided by use of a digital signature over some form of receipt. Security Labeling security labeling allows the originator to attach an indication of the message s sensitivity to disclosure or other threats. Labeling is of growing importance in medium grade messaging as commercial enterprises recognize benefits from a compartmentalization approach to handling proprietary information. The ASN.1 data structure SecurityLabel, originally described in International Telegraph and Telephone Page 4

5 Consultative Committee (CCITT) 1 recommendation X.411:1988 [11], has become a de-facto standard because of its adoption in numerous secure messaging and directory efforts. However, subsequent definition of the security-categories field of the X.411 label has proven to be controversial, and is continuing in NATO, the Combined Communications Electronics Board (CCEB), and ISO Subcommittee 27 (SC27). CONTENT FEATURES The content of the message itself must provide a number of vital services to adequately support medium grade messaging. Necessarily features include a globally unique message identifier, a precedence indication, an obsoleting indication, distribution codes, an authorization time, manual handling instructions, an information category, an originator reference, other recipients, and the circulation list. Globally Unique Identifier s should be associated with a globally unique identifier to facilitate correlation of duplicates, allow cross-referencing of messages, and support management functions. Global uniqueness can easily be achieved by appending an appropriate time code or serial number to a uniquely registered user name or address. Many messaging systems already provide globally unique identifiers, but limit their effectiveness by conveying them in varying protocol fields (e.g., often X- extension headers in SMTP). Precedence s should contain an indication of the originator s perceived importance, or relevance, of the message (i.e., precedence) to each recipient of the message. This precedence value might be used to affect how the message is presented to the user (e.g., highlights or colors), or might trigger automatic alerts (e.g., via pager). Each recipient might have a different precedence. This service may or may not be directly tied to the message delivery priority service described for the exchange service. Obsoleting s should contain the globally unique message identifier of any other messages that by its receipt are rendered outdated or obsolete. This service addresses the perishability of messages from a different 1 Note that CCITT was later reorganized into the ITU-T. The term CCITT is used here for historical accuracy. perspective than the maximum message lifetime service described for the exchange service. This service aims to reduce confusion on the part of recipients as a result of message perishability. Distribution Codes The distribution codes service enables the originator to provide the recipient s with information to support the redistribution of the message either within the messaging system (e.g., auto-forwarding) or externally (e.g., hard copy distribution). It may also provide information to features such as automatic alerts (e.g., pager). Authorization Time The authorization time indication service enables the originator to indicate to the recipient the date and time at which a message was formally authorized. Depending upon local requirements, this date and time stamp may vary from the date and time when the message was submitted to the transfer system. Manual Handling Instructions The manual handling instructions indication service enables the originator to indicate to the recipient any post-delivery instructions (e.g., recipient handling remarks) that may accompany the message. The service might provide instructions consisting of free form text that may state special requests for recipient handling, or instructions for how to process body data. Information Category The information category indication service enables the originator to indicate to the recipient the character of the information contained in the message. The service might provide a registered identifier for each particular category, or free form information describing the nature of the communication. The recipient may use the information provided by this service to affect the presentation of messages to the recipient, or to affect any other local processing functions. A specific definition of information category values and semantics should be mutually supported by the originator and the recipient. Examples of possible information category values include: draft message, press release, contractual commitment, and policy statement. Originator Reference The originator reference indication service enables the originator to indicate to a recipient a reference value, chosen by the originator, to be used within the organization of the originator as an internal reference. Examples of possible references include: file number, claim number, and legal case number. This information may be used by the recipient in later communications Page 5

6 with the originator, possibly by other means, concerning a particular message. Other Recipients The other recipients indication service enables an originator to indicate to a recipient the names of intended recipients who will receive a message without the use of messaging (e.g., via fax). The service should also allow indication of which category, such as primary (i.e., To: ) or copy (i.e., Cc: ), the other recipients should be considered. Circulation List Recipients The circulation list recipients indication service enables the originator to indicate to the recipient a list of recipients to which the originator requests the message be serially distributed. In this context, recipients that have received the message are said to be "checked" in the circulation list. The circulation list should be updated by the recipient and included in a forwarded IPM sent to the next recipient that has not been checked. This service models a common business practice for circulating pertinent materials to small groups for comment. IV CONCLUSION This paper attempts to capture and refine a unified set of emerging functional requirements for medium grade messaging drawn from a variety of sources. Three types of features are identified: message exchange features, security features and content features. The message exchange features tend to address well known deficiencies in the existing state of the messaging industry. These tend to be the most complex features from an implementation standpoint, but represent well-understood concepts and technology. Security features address an already broad, and still growing, market segment. These tend to be more straightforward to implement, but are fraught with open standardization issues. The content features are more esoteric but provide excellent benefits to the user for generally low implementation costs. 2. ITU-T X.400 Series: Data Communication Networks: Handling Systems, ISO/IEC Series: Information Technology Handling Systems (MHS), ISO/IEC PDAM 4: Business Class 5. ISO/IEC PDAM 4: Business Class 6. ISO/IEC PDAM 4: Business Class 7. ISO/IEC PDAM 4: Business Class 8. Business Quality Messaging Functional Specification, Electronic Mail Association (EMA) Business Quality Messaging (BQM) Special Interest Group (SIG), November Defense Messaging System (DMS) Medium Grade Messaging Strategy, Defense Information Systems Agency (DISA), 7 August 1998 (DRAFT). 10. Protocols Profile for Department of Defense Medium Assurance Messaging, Mitre Corp., Revision 2.0, January CCITT X.411:1988: Data Communication Networks: Handling Systems: Transfer System: Abstract Service Definition And Procedures, The various medium grade development efforts exhibit a strong correlation of both objectives and outcome. Yet none of these activities appears to have gained a strong beachhead in the commercial products arena. This suggests that efforts should be made to harmonize the various definitions of medium grade messaging for the purpose of promoting a larger, more lucrative market for developers. V REFERENCES 1. ACP 123: Common Messaging Strategy and Procedures, November Page 6