************************************************************************ DDN MGT Bulletin #101 DISA DDN Defense Communications System 24 September 1992 Published by: DDN Network Info Center (NIC@NIC.DDN.MIL) (800) 365-3642 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DISA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the NIC.DDN.MIL host [192.112.36.5] using login="anonymous" and password="guest". The pathname for bulletins is ddn-news/ddn-mgt-bulletin-nn.txt (where "nn" is the bulletin number). ************************************************************************ MILNET TAC User Validation and Registration This Management Bulletin provides important information for host and gateway/concentrator administrators who are authorized to request TAC Access Cards for their users. This bulletin also provides guidance regarding the validation and registration process for all MILNET TAC users. The impending MILNET-wide TAC user registration will involve the reissue of TAC Access Cards to all authorized users and will ensure that only currently authorized users can access the MILNET via a TAC. The following topics will be covered: 1) Validation and registration procedures 2) Importance of timely submission of user registration templates 3) New format for user registration templates 4) Validation and re-registration schedule 5) Amended Authorization Policy 6) DDN NIC contact information 1. Validation and Registration Procedures The official validation and registration of all MILNET TAC users is about to begin. During this period, the records for all MILNET TAC users will be added, updated, or deleted, as required. The DDN NIC Registrar will initiate the process by sending each authorized host or gateway administrator a host template containing the host information that is currently stored in the WHOIS database. These host templates will be sent according to the schedule provided in Section 4. Each host and gateway administrator will be required to validate the information on the host template, make any necessary changes, and return the template to the DDN NIC. Upon receipt of the updated host template, the Registrar will prepare a file containing the templates of the users on that host who are currently registered in the WHOIS database. 1.1 User Template File Transmission Depending on its size, the user template file will be transmitted to the appropriate gateway or host administrator via electronic mail or made available for downloading via FTP. The NIC will send the majority of user template files via e-mail. However, administrators for hosts with a very large number of TAC users will be given instructions for downloading their user templates via FTP. Along with the user template files, the NIC will provide detailed instructions for adding, deleting or modifying the individual user records. 1.2 Importance of Following Instructions It is IMPERATIVE that the administrators adhere to the guidelines and instructions provided to them with their user data. Deviations from these instructions will result in processing delays and/or rejection of the templates. Because the data is automatically parsed from the templates by software designed exclusively for that purpose, the standard user registration templates must not be altered in any way, and the data provided for each template field must be entered in the correct format. User files that are returned to the NIC in an unacceptable format will be sent back to the administrator for correction. 1.3 Transmitting User Files to the NIC When returning the updated user templates to the NIC, each administrator should clearly identify the file as "Host/Gateway Re-Registration Information" in the subject line of each message. This will ensure that 1) the files are processed through user regis- tration as a re-registration and 2) TAC access for these users will not be interrupted. 1.4 New TAC Card Issuance and Old TAC Card Invalidation After the NIC has received all the updated user templates for a host, the file(s) will be reviewed for accuracy and validated. New TAC Cards will be generated for each user who has been authorized TAC access by the host or gateway administrator. The entire re-registration process (from the submission and receipt of the updated user data to the mailing of the TAC Card) is approximately two weeks. The DDN NIC will send electronic mail messages to the host or gateway administrator and to all the associated users notifying them that their new TAC Cards have been mailed. Six weeks after new TAC Cards have been mailed, all old TAC cards associated with that host or gateway will be invalidated. This should allow sufficient time for users to receive their new TAC cards or to inform the NIC (via their host or gateway administrator) of any problems regarding their new TAC Cards. Consequently, it is very important that administrators encourage their users to report problems or missing TAC Cards within the six-week time period prior to the invalidation of the TAC Cards. 2. Importance of Timely Submission of User Registration Templates All authorized host and gateway administrators will be given a maximum of four (4) weeks from the day they receive their user templates (or notification that their templates are ready for them to download via FTP), to make the necessary additions, deletions and revisions and to resubmit the data to the NIC for processing. If the NIC does not receive the updated user templates after four weeks have elapsed, the DISA Task Monitor will intervene. The NIC staff is fully aware that validation and registration can be a tedious process, especially for those administrators who are responsible for a large number of users. If problems are encountered, contact the NIC immediately for assistance. The security of the DDN MILNET is at risk when the process is not given appropriate attention. 3. New Format for User Registration Templates A new User Registration Template has been prepared to standardize and expedite the validation and registration process. Use of this new template will help to ensure that the NIC receives complete and reliable information about each user in a format that can be processed quickly and accurately by the registration software. This template is available, along with instructions and examples, from the DDN NIC via anonymous FTP. Connect to the NIC and log on with username "anonymous" and password "guest". Change to the directory and request the file by executing a getfile procedure for filename at the prompt. The NIC will provide the re-registration files to the administrators in the new template format. All re-registration user files must be returned to the NIC in this format. However, in an effort to ease the transition to the new template, the NIC will accept user files (THAT ARE NOT A PART OF A RE-REGISTRATION) in the format of the current user template until 1 January 1993. After this date, only templates that are submitted in the new template format will be honored. 4. Validation and Registration Schedule The host and user validation (re-registration) schedule has been established alphabetically, by first letter of the official hostname. This schema (shown in the chart below) should result in the re-registra- tion of approximately the same number of users for each month in the ten month schedule. If the host or gateway administrator anticipates difficulties doing the re-registration in the month scheduled, a request may be sent to the NIC to reschedule the process (See Section 6). Host/User Registration Schedule (Alphabetical by Hostname) | Oct | Nov | Dec | Jan | Feb | Mar | Apr | May | Jun | Jul | Aug | Sep | | A | B-C | D-F | G-H | I-L |M,O-Q| N | R | S | T-Z | --- | --- | 5. Amended Authorization Policy Although DISA formerly required all users on hosts behind gateways and concentrators to register and request TAC Access Cards via their gateway administrators, that requirement has changed. Gateway (or concentrator) administrators may now delegate the authority to request TAC cards to the administrator(s) of any hosts attached to the MILNET via their gateway. In this way, administrators of hosts behind gateways or concentrators will be able to request TAC Cards for their own users and to register those users to their own or "home" hosts. However, administrators of all hosts behind the gateway must have proper delegated authorization (in accordance with the Draft TAC Access Control Policy Circular) from their gateway administrator before the DDN NIC can honor their requests. This authorization should take the form of an e-mail message to REGISTRAR@NIC.DDN.MIL sent directly from the gateway administrators' mailbox. 5.1 Registering Hosts Behind Concentrators/Gateways All hosts behind gateways (or concentrators) whose users require TAC access MUST be registered in the NIC's WHOIS database before requests for TAC access can be made. This is done by completing a Military Host Registration template and submitting it to the DDN NIC for processing. To retrieve the host registration template via FTP, connect to the NIC host and log on with username "anonymous" and password "guest". Then change to the directory and request the file by executing a getfile procedure for filename . To avoid unnecessary delays, all hosts should be registered with the DDN NIC prior to the re-registration process. 6. DDN NIC Contact Information For general information and template file transmission, send electronic mail to REGISTRAR@NIC.DDN.MIL: or contact the DDN NIC Help Desk at: 1-800-365-DNIC (within the continental U.S.) or (703) 802-4535 (in the Washington DC metropolitan area or outside the continental U.S.) All re-registration user files should be sent via electronic mail to: REREG@NIC.DDN.MIL ** NOTE ** Whenever you leave a message for one of the contacts listed above, please be sure to include a COMMERCIAL phone number if possible. The DDN NIC does not have autovon capability.