Professional Documents
Culture Documents
Communications Reference
Copyright © Data Interchange Plc
Peterborough, England, 2013.
Related Publications
Table of Contents
1 Introduction 1
2 Protocol Comparisons 1
3 OFTP Version 1 2
3.1 History 2
3.3 Benefits 3
3.4 Security 3
4 OFTP Version 2 9
4.1 History 9
4.2 Benefits 9
4.3 Security 10
4.4.9 Certificates 13
I
Table of Contents
5 AS2 15
5.1 History 16
5.3 Benefits 16
5.4 Disadvantages 16
5.5 Security 16
6 FTP 20
6.1 History 21
6.3 Benefits 21
6.4 Security 21
7 SFTP 23
7.1 History 23
7.3 Benefits 23
7.4 Security 24
7.5.1 SSH 24
8 Email 26
8.1 History 26
8.2 Benefits 27
II
Table of Contents
8.3 Protocol Description 27
9.1 TCP/IP 28
10.1 Overview 30
III
1 Introduction
2 Protocol Comparisons
The following table compares the features of each protocol supported by ODEX
Enterprise.
OFT OFT AS/2 FTP SFTP Email
P1 P2
Encrypted session commands
Message encryption
Digitally signed messages
Digitally signed message receipts
(EERP,MDN)
Authentication
3 OFTP Version 1
3.1 History
The Odette File Transfer Protocol (RFC 2204) currently provides a standard
communications base for sending and receiving EDI messages throughout Europe
and most of the world.
OFTP was first defined in 1986 by ODETTE International Ltd, a membership
organisation formed by the automotive industry for the automotive industry. OFTP is
a protocol for exchanging data in an automated environment and was initially
designed to work over an X.25 network, but over the last two decades it has evolved
to work over ISDN and TCP/IP networks.
3.3 Benefits
OFTP has been designed to allow companies to communicate directly with
one another, or via a third party as in the popular use of VANs, such as DINET,
GXS and Easylink
OFTP can be used to transmit data of any type
OFTP preserves the original file format e.g. fixed and variable length record
files
OFTP provides a mechanism for end-to-end file acknowledgements, which
are generated when files have reached their final destination
Files can be exchanged in both directions, regardless of who initiated the
connection
OFTP is extremely efficient and supports file restart and data compression
OFTP supports multiple parallel communications sessions
OFTP removes any need for knowledge about the remote user’s computer
system
3.4 Security
Historically, OFTP connections were primarily established over point-to-point
connections such as X.25 and ISDN, consequently the connection methods were
relatively secure and additional protocol security was not deemed a necessity.
Therefore, OFTP version 1 at a protocol level only provides User IDs and passwords
for security.
However, a revised version of the OFTP version 1 specification was released that
introduced support for OFTP over TCP/IP. This allowed people to exchange data
over faster, but insecure, connection media, such as the Internet. The onus was still
on the network protocol to secure the connection and in some instances VPNs were
used to provide that additional security.
Command Description
SSRM - Start The first command to be sent after a physical connection has
Session Ready been made. It indicates to the person that initiated the
Message session that he is communicating with another OFTP
capable machine.
SFID - Start File A request to send a file. It contains such information as the
Identification destination code for the file, the file name and file size.
EFID - End of File This command is sent, after file data transfer has completed
Identification for an individual file, to indicate the End of File condition. It
contains control totals to ensure the integrity of the file sent.
EERP - End to End An EERP command is sent when a file reaches its ultimate
Response destination. It is sent to the originator of the file to tell him that
the file has been received.
The OFTP protocol has 2 levels, the SSID and the SFID. Each level may have its
own code, but in many cases the codes are the same. The codes at both levels may
be referred to generally as EDI codes.
SSID Code – also referred to as the Network Node or the Physical Node
SFID Code – also referred to as the File Node
SSID and SFID codes may be up to 25 characters long and should be made up
using the following list of characters and no others.
Character Description
0 to 9 Numeric characters
- Hyphen
/ Slash or Oblique
, Comma
. Full Stop
& Ampersand
There are currently no standards for EDI codification schemes, but obviously it is
vital that the code should be unique. New EDI users have a number of choices
available to them.
Choose their company name (not recommended)
Be allocated an EDI code by a third party network (VAN), trading partner or
numbering organisation
Derive their own EDI Code
If users wish to take the last course of action, the following are the ODETTE
recommendations for the structure of an EDI code.
Name Description
Company This is the code assigned by the agency specified in the ICD
Code code above. If it is less than 14 character positions, then it
should be right aligned and zero padded to the left.
Please note that this is a recommendation for the formation of an EDI code and NOT
a standard.
The OFTP password is sent as part of the SSID command when a connection to a
trading partner is being established. The password can be up to 8 characters long
4 OFTP Version 2
4.1 History
Revision 2 of the OFTP (RFC 5024) sought to ensure that it remained the mainstay
protocol of choice for business-to-business communications. To that end the
following changes/additions were made -
Session level encryption (using SSL/TLS)
Secure authentication
File level encryption
File compression using the DEFLATE algorithm
Signed EERP/NERP
Maximum permitted file size increased to 9PB (petabytes)
Virtual filename length increased to 255 characters
Security services have been added to allow OFTP to be secure over the Internet and
over X.25 networks and features like an enhanced compression routine have been
added in response to the user community’s wishes.
The security features in the OFTP are centred on the use of X.509 certificates. All
algorithms and enveloping technologies are standards that have been widely
implemented on the major platforms. The use of self-signed certificates is allowed.
OFTP 2 has been designed so that a secure session can be established with only
one of the trading partners being required to have a certificate, this being the party
that is the recipient of a connection attempt. This means that session security
between an OEM and its trading partners can be achieved without requiring all the
trading partners to obtain a certificate, assuming that trading partners connect to the
OEM.
Backward compatibility is important and OFTP 2 has been designed so that the new
and changed commands can still be understood by applications supporting older
versions of OFTP (1.4 and below). OFTP 2 capable applications, like ODEX
Enterprise, can negotiate the protocol level down to the highest level supported by
both applications.
4.2 Benefits
Protocol security removes the need for hardware VPNs with their very
significant associated costs and setup times
Compression means reduced X.25 and ISDN call charges
Compression means reduced time to exchange data
Companies with investments in X.25 and ISDN networks can use OFTP
Security
4.3 Security
OFTP 2 provides three security services:
Session level encryption (SSL / TLS)
File level encryption
OFTP Authentication
These security services are entirely optional and can be used in any combination.
Session level encryption encrypts all of the OFTP session data between two trading
partners so that an external party cannot see the data going between them. Session
level security is achieved by layering OFTP over Transport Layer Security (TLS),
distinguishing between secure and insecure TCP/IP traffic using different port
numbers. This negotiation occurs outside of the OFTP session and so is transparent
to the OFTP.
In addition, a file can be encrypted and sent via OFTP using file level encryption. File
encryption essentially offers the same level of security as session level, so two
trading partners may choose to use one or the other. File encryption does not
encrypt the OFTP session, and so it may be possible to uncover useful information
e.g. if you use the VFN: TOPSECRETNEWMODELFOR3Q15, a third party could
potentially get hold of this information. There is no such danger when using the
session level encryption.
It may well be that two companies wish to prevent external third parties from looking
at the data being sent between them. This is accomplished using session level
security. With the addition of file level security, only specific departments or
individuals are able to read the file when it arrives at the recipient company.
TripleDES uses Cipher Block Chaining (CBC) mode for added security and uses the
EDE (Encryption Decryption Encryption) process with 3 different 64 bit keys.
RSA padding is defined in PKCS #1.
AES uses a 256 bit key in CBC mode.
4.4.9 Certificates
You keep your private key secure but need to distribute your public key freely to your
trading partners.
5 AS2
5.3 Benefits
Elimination or reduction of Value-added network (VAN) costs
Designed to push data securely and reliably over the Internet
Fast and reliable connectivity
Encryption ensures that only the sender and receiver can view the data
Digital signatures ensure authentication; only messages from authorized
senders are accepted
The use of a hash algorithm ensures data integrity by detecting whether the
document was altered during transmission
5.4 Disadvantages
Static IP address, permanent Internet connection and firewall are needed
Cannot pull data
File restart is optional
AS2 software must be certified on an ongoing basis
Need to manage the certificates used for secure connections
Only works over TCP/IP networks
5.5 Security
AS2 makes use of several optional security features
Data Encryption
Header Description
POST The POST request specifies the local part of the recipient
address, which represents the AS2 receiving process,
and the HTTP version
AS2-Version (AS2 Header) Version of AS2 used (use 1.1 for versions
that support compression, 1.0 otherwise)
6 FTP
6.3 Benefits
It is a very common protocol that is used on many platforms
It has been around for a long time
It is a relatively simple protocol that is easy to use (It is supported by clients
through most web browsers, explorer in Windows and through the "ftp"
command in most Linux, UNIX and MSDOS distributions)
A directory structure can be represented, allowing the organisation of files
Security is implemented through username and passwords
The client can choose which files they wish to download
6.4 Security
An FTP client identifies himself with a user ID and password. It is the FTP server’s
responsibility, in conjunction with operating system access controls, to ensure that
he does only what he is permitted.
This is a very low level of security, which, combined with a network protocol (TCP/IP)
that offers little security, makes FTP perhaps the least secure file transfer
mechanism.
7 SFTP
7.1 History
The SSH File Transfer Protocol (draft-ietf-secsh-filexfer) was first published as an
Internet Draft in January 2001 as version 3. Alterations to the draft protocol were
made until July 2006 as version 6, when the working group was cancelled.
The protocol has never been made an Internet Standard but is widely implemented.
7.3 Benefits
Very secure protocol, layered over SSH2, which uses proven Diffie-Hellman
security practices
From a user’s perspective, security is implemented through username and
passwords
It is a relatively simple protocol that is easy to use. There are a wide range of
free interactive clients for UNIX and Windows environments
7.4 Security
An SFTP server identifies himself to clients using a host key. Commonly, this host
key is generated from a public certificate. Clients are asked to trust this key as
identifying the authentic server.
An SFTP client identifies himself with a username and password. There are other
alternative methods of client identification that are not so widely implemented. It is the
SFTP server’s responsibility, in conjunction with operating system access controls,
to ensure that he does only what he is permitted.
The security of SFTP is solely the responsibility of an SSH2 transport layer, which
uses proven Diffie-Hellman practices to establish a secure session.
8 Email
8.1 History
Electronic mail is the standard protocol for exchanging messages between users on
the Internet. Email was originally developed to exchange messages using extensions
to the FTP protocol but has since standardised on the Simple Mail Transfer Protocol
8.2 Benefits
Email is generally a protocol used for user-to-user messages as opposed to
machine-to-machine protocol like OFTP. The primary benefit to the use of email is
that it is the universally accepted standard for user-to-user messaging over the
Internet.
The protocols on which Email is based are open for extension and have been
extended considerably since the introduction of the SMTP protocol.
The disadvantage of email usage is that there is no universally accepted extension
which guarantees privacy of email content.
Delivery Status
9.1 TCP/IP
TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic
communication protocol of the Internet. It can also be used as a communications
protocol in a private network (either an intranet, where parties within a single
organisation can communicate, or an extranet, where parties may communicate with
each other over an external but private network).
TCP/IP provides basic but high-demand services, such as file transfer and electronic
10.1 Overview
XOT is an abbreviation for X.25 Over TCP. This allows X.25 packets to be sent over
a Transmission Control Protocol/Internet Protocol (TCP/IP) network instead of an
X.25 network.
In essence, XOT tunnels X.25 traffic through an IP “cloud”. This allows ODEX
Enterprise to make a native X.25 call to a remote trading partner, without the need for
X.25 hardware within the PC. Instead, ODEX Enterprise communicates with an
XOT-capable router using XOT over a TCP/IP network, and the router makes the
actual X.25 connection.
This ability to utilise an IP connection to an XOT router provides a cost reduction and
also allows for the possibility of using an existing IP network to access an XOT router
located at a remote site.
X.25 is based on packet-switching technologies. Packet-switching technologies are
protocols in which messages are divided into packets before they are sent. Each
packet is transmitted individually and can even follow different routes to its
destination. Once all the packets forming a message arrive at the destination, they
are recompiled into the original message.
X.25 defines layers 1, 2, and 3 in the OSI Reference Model. OSI is an ISO standard
for worldwide communications that defines a networking framework for implementing
protocols in seven layers. Control is passed from one layer to the next, starting at the
application layer in one station and proceeding to the bottom layer, over the channel
to the next station and back up the hierarchy.
In ODEX Enterprise, you can still communicate with your X.25 connected trading
partners by using an external XOT router such as a CISCO, but now the system
setup will look more like this.
The Cisco interface which is connected to the X.25 network needs to be configured
with the correct number of Virtual Circuits (which will be dependent upon your X.25
line)
interface Serial1/0
description Link to X.25 PSS
no ip address
encapsulation x25
x25 ltc 1024
x25 htc 1063
An X25 route needs to be added to ensure that calls to the trading partner's NUA are
routed to the external X.25 network. This allows different trading partners to be
accessed via different external interfaces. Additional entries can be added routing
different NUAs to the same interface.
The Cisco interface which is connected to an ISDN line needs to be configured with
a reference to a dialler pool
interface BRI0/0
description ISDN Interface
dialer pool-member 1
isdn switch-type basic-net3
A dialler Interface needs to be configured which gives the Cisco an ISDN number to
dial when calls are routed via ISDN
interface Dialer0
no ip address
encapsulation x25
dialer pool 1 (must match the entry configured against the
ISDN interface)
dialer remote-name dinet
dialer string 01733390025 (the ISDN number to be dialled)
dialer max-call 1
dialer-group 1
x25 address 1234
x25 htc 1
x25 win 7
x25 wout 7
x25 facility windowsize 7 7
x25 facility packetsize 128 128
04 Storage record The storage format for the virtual file cannot be
format not supported by the destination. This would occur
supported if, for example, a Variable length record was
sent to a machine that could only handle Fixed
length records.
06 File size is too The file is too large for either the OFTP or the
large remote site to handle.
12 Access method The remote site has had a problem storing the
failure virtual file. This is often caused by the receiver
running out of disk space.
99 Unspecified There has been an error that does not fit into
reason code any of the above categories.
00 00 No cause available.
03 03 No route to destination.
06 06 Channel unacceptable.
11 17 User busy.
15 21 Call rejected.
16 22 Number changed.
1D 29 Facility rejected.
1F 31 Normal, unspecified.
22 34 No circuit/channel available.
29 41 Temporary failure.
2F 47 Resource unavailable.
55 85 No call suspended.
57 87 Incompatible destination.
Code Description
0x1002 Logical block size too small, must be at least 128 bytes
0x1004 Message buffer size too small, must be at least 1024 bytes
0x1006 Reserved
0x1103 The message could not be accepted because of a queue full condition
0x3313 Disconnected before transfer (remote station does not support transfer
mode, e.g. resolution)
0x34d3 A suspended call exists, but this call identity does not
0x34d6 Call having the requested call identity has been cleared
00 00 No additional information.
01 01 Invalid P(S).
02 02 Invalid P(R).
21 33 Unidentifiable packet.
22 34 Incoming call received on one-way channel.
23 35 Clear or Call packet received on a PVC.
24 36 Packet on unassigned logical channel.
25 37 Reject not subscribed to.
26 38 Packet received - too short.
27 39 Packet received - too long.
28 40 Invalid GFI.
29 41 Restart packet on LCN zero.
2A 42 Illegal fast select packet.
2B 43 Unauthorised Interrupt CONF packet
received.
2C 44
Unauthorised Interrupt packet received.