IPX and IoT

Since Arelion is a Tier 1 IPX, we cover complete A-Z reach across our direct and peering reach. This applies to GRX, Diameter and SS7 (a full reach list is available upon request).

Arelion's IPX network is designed to support Multiple Services over One Port (MSOP). This means that where our customer is using us for IP Transit services, we can logically separate IPX traffic on the same physical port. Dedicated IPX port capacity is also central to what we do, which supports increase in security and overall availability.

Arelion recommends redundant base architectures. Each port can be configured using VLANs to logically separate, control and measure individual dedicated traffic streams. Furthermore, our IPX network is Class of Service (CoS) aware, allowing Mobile Operators to prioritize traffic streams according to CoS recommendations.

Today we support Data Payload (GRX, includes S8), Diameter (DRX), SIGTRAN (RoamConnect), Voice over IPX (VolPX), and loT backhaul (M2M traffic). Our network contains IP-STP's, Diameter-Routers and SIP-Proxies to support hosted interworking solutions for all traffic types.

• Arelion has a Multi Terabit enabled, fully redundant and geographically diverse IPv4 and IPv6 dual stack IPX Core and distribution network. It has been designed and built with complete redundancy and security as starting point, and as such is compliant with all relevant GSMA IPX guidelines (a/o PRD IR.34, IR.67 & IR.77)
• Arelion implements a fully redundant physical and logical IPX network architecture
• We advise our clients to adhere a fully redundant physical architecture as well, deployed in either a simplex B (dual links) or full mesh B-Quad (4 links) design

• The SIGTRAN and Diameter capacities should be dimensioned to support not more than 40% link utilization to always ensure that in a failover scenario the redundant links have ample capacity to support the additional load
• Arelion advises the configuration of SCTP associations in an M3UA or M2PA multihomed configuration
• We advise all signaling protocols to be load shared and balanced in an Active / Active configuration
• Data Payload traffic such as GRX/S8 can be supported in an Active / Active, or Active / Standby configuration. Active/ Standby is recommended
• Arelion can support redundancy over IPsec. However, it is not recommended for signaling protocols as it can cause sub-optimal performance of SCTP timers, leading to buffering and re-transmits.
• Arelion follows strict implementation and testing procedures, before declaring services as 'ready for use'

Arelion owns and operates one of the world's largest fully diverse MPLS core networks.

• IPX PoP diversity: Geographical diversity was key in the planning and implementation our IPX infrastructure. Arelion IPX is currently deployed in geographically diverse PoPs around the globe with additional PoPs in planning stages.
• IPX PoP hardware redundancy: Within each IPX PoP, there is a complete redundant infrastructure. All aggregate and core routers, switches, firewalls, have been deployed in pairs to provide for the highest level of diversity within each IPX PoP. At our core PoPs we have deployed redundant Diameter proxies, 3GPP DNS servers and IPX proxies. Dual-power, dual-processor and fault-tolerant systems are deployed at all PoPs to aid in seamless recovery and auto-healing abilities. Furthermore, at each IPX PoP, we have deployed redundant core routers allowing changes in either customer access or core functionality without impact to customer traffic.
• IPX PoP Transport Redundancy and Diversity: Our IPX PoPs are inter-connected on our fully meshed Multi Terabit enabled IPX backbone. The backbone access circuits are provisioned with complete diversity. Every effort is given to provision the circuits with no single point of failure or common point of interconnect, including access into the customer facility/conduit where possible. Additionally, our core infrastructure is designed so that any single connection into an IPX PoP will support all traffic for that PoP in a potential fail-over scenario amongst others achieved via our world-wide, both logical as well as physical fully separated Red and Blue DWDM backbone network.
• Service availability: Carrier-grade - 99.999% with SLA
• DNS redundancy support: Arelion's DNS infrastructure is deployed in a gee-redundant design for both .gprs and .3gppnetwork DNS servers.
• Proxy redundancy support: Diameter and network proxies are gee-redundant and engineered to provide full failover capabilities between sites.

Security

Arelion IPX backbone is configured for protection against different forms of security threats such as DDoS/DoS, packet spoofing, route spoofing, label spoofing, etc. 
As aforementioned, we follow the GSMA IR.77 guidelines for inter-operator provider security rules that include Anti-Route and Anti-Packet spoofing protection. On the Ethernet layer, we also deploy VLANs to logically separate traffic for different services including GRX/ SB Data Payload, SIGTRAN and Diameter, which is integrated to the corresponding service segment by dedicated MPLS VPNs on the IP transport layer. Our IPX network is completely isolated from public Internet and unauthorized access is denied.

The following are a sample of examples of the measures taken for protection our IPX backbone network:

Route spoofing protection

• Customers identify what networks they wish to advertise, and Arelion confirms that they are entitled to advertise those networks to IPX
• Arelion's IPX network edge routers check all route advertisements against a pre-defined prefix-list to determine if that route is for a network, which belongs to that customer
• Any non-compliant advertisements are discarded at the Edge routers

Packet spoofing protection

• Customers identify what networks they wish to advertise
• All incoming packets are checked against a pre-defined access-list to ensure that the source address belongs to the Operator's networks. Arelion's IPX Edge routers discard any IP packets that arrive from sources that do not belong to the Operator's advertised networks

Label spoofing protection

• Since packets only enter the Arelion IPX MPLS network via pre-defined PE-CE interfaces, label spoofing is not possible. Arelion does not exchange undefined MPLS Labels
• Packets on our customer-facing connections; all customer interconnectivity is established via Native IP at layers 2/3
• Arelion IPX does not participate in any Inter-AS or Carrier-Supporting-Carrier connectivity which would allow labelled-packets from outside sources to enter the Arelion IPX backbone

SIGTRAN Security Features include the following:

• Guard against port scanning
• Guard against UDP/TCP flooding
• Guard against DDoS
• MTP security features
• SCCP security features
• TCAP security features
• MAP security features
• CAP security features
• INAP security features
• Obtaining subscriber information
• Eavesdropping on subscriber traffic
• SMS frauds
• Open SMSC
• Network outage and disruption of subscriber services
• DoS against network elements
• DoS against users
• Authentication vector theft
• Interworking specific attacks
• MTP policing
• SCCP policing
• TCAP policing
• MAP policing
• CAP policing
• Combination of parameters for policing
• Cat 1 MAP Messages blocking
• Blocking of traffic from non-partners
• Separate reporting of all signalling security incidents

Our dedicated and private AS8837 IPX network operates on top of Arelions Blue and Red, wholly owned (trench and sea-cable upwards) fully redundant DWDM topology.

Arelions IPX is designed in a layered manor. At each backbone location, the Arelion IPX network divided over two more (local) gee-redundant sites, where one site is connected to our Red-DWDM network and the other to our Blue-DWDM network. The fully divergent DWDM network itself is about 75,000 km wide and spans across the whole globe in such a manner that at no point wherever - these two networks cross each other.

The IPX core network then is attached and integrated further, whilst using a single AS (8837) into a layer we refer to as the distribution layer by connecting strategically placed, worldwide distributed, fully redundant duo-lPX routers (each time: one on Red and the other on Blue).

Arelion can provide the kmz maps for fibers from the locations of the physical interconnects to specified locations of customer interest.

Arelion can provide 10 Gb (Base-LR) ports at over 400 locations globally.

All services can be delivered on redundant physical NNl's (Network-to-Network Interface), configured using VLANs for complete logical separation and class of service attribution. GRX is typically configured in Active / Standby mode, and SIGTRAN and Diameter Protocols are configured using Active / Active mode allowing proper load-sharing.

Subject to working on an agreed final design with our customers, Arelion will define a detailed demarcation point during the s solution design phase (standard TC demark in the PoP, no cross-connect included, no local-tail included).

Once a service is delivered and in production, service upgrades and downgrades can be done very quickly. If no augmentation is needed to the physical architecture, changes to bandwidth can be done the same day as the order is executed. Orders can usually be completed in 2 business days, subject to standard network freeze periods, e.g., Christmas.

If any physical component needs to be augmented, it can take from 2 weeks for a cross connect, to 8 weeks for a local tail or leased line; pending 3^rd party suppliers. For this reason, we, as standard propose to build the solution using redundant 10 Gb ports from day one, to avoid running out of capacity.

Please refer to our SLA documents and Master Service agreements, available upon request. As a minimum, Arelion's SLA is compliant to GSMA PRD IR.34 (version updates are available upon request, or at the GSMA Info Centre http://infocentre2.gsma.com/).

• Delivery time all services (accurate date to be agreed bilaterally)
  • Please allow an average of 4 to 6 weeks for delivery times, including cross-connects. If leased lines are required, this will increase time to 8 to 12 weeks. All pending 3^rd party suppliers
• Payment for outgoing traffic only
  • Only outbound traffic is chargeable (Outbound means from customer to Arelion)
• Monthly payment for burst:
  • Payment for the burst traffic is billed in arrears, meaning 30 days after the traffic has been measured, collated
• Currency
  • Payment in major global currencies is preferred, including US Dollar, Euro, British Pounds and Swedish krona
  • Warranties - Except as otherwise stated in this agreement, Arelion makes no representations or warranties about the service or the quality of the service provided, whether express, implied, by operation of law or in fact including, without limitation, any warranty of merchantability or fitness for a particular purpose
  • Upgrades - service upgrades and downgrades are available during the term of the agreement with 7 days' notice, and on completion of a new service order form

Delivery - a dedicated service delivery manager will work with you to ensure fast implementation of the services