The default connectivity for a 1NCE SIM is achieved through the Internet Breakout Service. All devices with a 1NCE SIM can connect freely to services hosted in the public internet space. The Figure above illustrates the basic operation principle of the 1NCE Internet Breakout. Please note that the IPs listed in the Figure are just example placeholders. For the Internet Breakout IPs please refer to the list below for the full available IP pool. Depended on the configured breakout setting in the 1NCE Portal, the behavior of the Internet Breakout will different.
The Internet Breakout setting in the configuration tab allows you to configure the ideal network flow for your SIMs cards for public-facing internet access and private connectivity through VPN. The 1NCE Internet Breakout can be configured in two different variances, which offer different functionality.
- Automatic Mode
- Manual Mode
The breakout setting allows you to select the nearest local Internet Breakout to minimize latency in data transfer. Your SIM card can either Automatically select the geographically nearest breakout, or you can Manually set the location of the breakout.
With the release (20.09.2022) of the configurable Internet Breakout setting, existing customers breakout will remain as Europe (Frankfurt) as before the feature introduction.
New Organizations and newly created Suborganizations will use the Automatic Mode by default. This setting can be changed in the 1NCE Portal configuration tab.
When using the Automatic Mode, each individual SIM data traffic towards the public internet is routed through the geographically optimized data center based on the SIM location to allow for low latency internet access. The automatic system selected the ideal breakout region for each individual SIM independently. This results in SIMs exiting through different breakouts dependent on their location.
1NCE is using AWS to facilitate dynamic Internet Breakout in the Automatic Mode. The closest breakout region is dynamically chosen based on the device location. Different availability zones inside the breakout region serve as backup to prevent downtime.
VPN and Connectivity Suite
OpenVPN and Connectivity Suite Services are currently not available in the Automatic Mode due to the automatically changing breakout IPs. While Automatic Mode is active, the OpenVPN Configuration tab is disabled.
One customer SIM device is located and connected in Germany. Based on the given location, the automatic Internet Breakout determines that the Europe (Frankfurt) is the ideal location to breakout the public internet traffic. The customer can expect their public internet traffic to exit from one of the breakout IPs from Europe (Frankfurt).
A second SIM device is located and connected in New York USA. As the SIM devices is closest to the US East breakout, the automatic system determines that US East (N. Virginia) should be used to exit the public internet traffic of the SIM. The traffic from this specific SIM will exit through the US East (N. Virginia) Internet Breakout IPs.
When selecting a specific breakout region using the Manual Mode, all SIMs public internet access will be routed through the selected breakout region. All SIMs of the customer (sub) organization are locked to the selected manual breakout region, independent on the actual device location.
Currently, three regions are available:
- US West (N. California)
- Europe (Frankfurt)
- US East (N. Virginia)
VPN and Connectivity Suite
The 1NCE VPN Service is available in the Manual Mode. The specific regional adaptions of the OpenVPN Configuration need to be applied.
1NCE Connectivity Suite is currently only available through the Europe (Frankfurt) breakout region.
The Manual Mode is set to Europe (Frankfurt) for the example organization.
One customer SIM device is located and connected in Germany. Independent of the given location, the manual Internet Breakout Europe (Frankfurt) is used to breakout the public internet traffic. The customer can expect their public internet traffic to exit from one of the breakout IPs from Europe (Frankfurt).
A second SIM device is located and connected in New York USA. The SIM devices is closest to the US East breakout, but due to the Manual Mode, the traffic will be routed through the Europe (Frankfurt) exit to the public internet. The traffic from this specific SIM will exit through the Europe (Frankfurt) Internet Breakout IPs.
Each available Breakout Region has its unique set of IP Addresses. The specific IP address selected for the Internet Breakout of a SIM card is randomly chosen and can not be managed by the customer. Depending on your configuration, all IPs or Region-specific ones should be used for whitelisting the 1NCE Internet Breakout service. Note that the used IPs are depended on the selected Breakout Mode:
- Automatic mode: all IP addresses
- Manual Mode: IPs matching the configured Region
The currently used IPs to breakout any internet-targeted traffic are listed in the table below. Please note that these IP addresses might change overtime as new resources and features upgrades are introduced.
|Breakout Region||Public Internet Breakout IPs|
|US West (N. California)||184.108.40.206|
|US East (N. Virginia)||220.127.116.11|
The public IPs for Europe (Frankfurt) Region are additionally used for the 1NCE Data Streamer and SMS Forwarder Service. Whitelisting the Europe (Frankfurt) IPs is required for using these services as these are operated independently of the configured Breakout Region.
By design, the internet access for 1NCE SIMs is implemented with Network Address Translation (NAT). The NAT maps the private SIM-IP to commonly used public 1NCE breakout IP. This network design simplifies IP space management and enhances the access security of connected IoT devices. As a result, devices with a 1NCE SIM cannot be directly accessed from the public internet side, thus improving the resilience against external attacks and threads targeting the IoT devices.
Using the 1NCE Internet Breakout, the connection establishment is unidirectional (e.g., SIM towards server/service), while data transfer over an already established connection is bidirectional (e.g., SIM towards server/service and server/service towards SIM). The flow of the 1NCE Internet Breakout is shown in the sequence diagram below. Bidirectional connection establishment can only be achieved using the 1NCE VPN Service.
The concept of the Open Systems Interconnection model applies to the 1NCE Data Service structure. The GPRS Tunneling Protocol (GTP) is used on layer 3 to transfer user application data between the device with a 1NCE SIM and the internet or application server and vice versa. All the data traffic is wrapped in the GTP, on top of this protocol (layer 4+) the customer is free to use any transport protocol (e.g., TCP, UDP, MQTT, CoAP, etc.) and any port assignment.
The Domain Name System (DNS) is used to resolve Uniform Resource Locators (URL) to an addressable IP. When using the 1NCE Internet Breakout, the public IP
18.104.22.168 is served as primary and
22.214.171.124 as secondary default Domain Name Server. A manual configuration of a DNS on the device is typically not needed but can be configured, if desired.
The Maximum Transmission Unit (MTU) is the size of the largest IP packet (layer 4) possible which can be transferred in a respective frame on layer 3 without the need for fragmentation in the packet based core network. If a send packet is larger than the specified MTU, the packet needs to be fragmented, thus creating more overhead and delays.
Theoretically, a size of 1500 bytes is possible with the 1NCE Data Service. Based on prior experience with IoT devices and mobile networks, it is recommended to keep the MTU size lower than about 1200 bytes.
After 350 seconds of no data packets being transmitted, a established connection via the 1NCE Internet Breakout will be closed automatically. To keep the connection alive within 350 seconds a IoT device must send a keep-alive packet at least once in the 350-second timeframe. Otherwise, the 1NCE SIM device must re-establish the connection after this timeout.
The traffic from all 1NCE SIMs towards the public internet is routed through a NAT with a the listed public-facing IP addresses. These public breakout IPs are listed above under Internet Breakout IPs. The specific IP address selected for the Internet Breakout is randomly chosen and can not be managed by the customer.
Whitelist 1NCE Breakout IPs
Ensure that the 1NCE Internet Breakout IPs are whitelisted for custom service infrastructure accessed by 1NCE SIMs through the Internet Breakout. Large quantities of SIMs accessing the same service can lead automated firewall and protection mechanisms to block the 1NCE Breakout IPs.
All requests towards public internet services appear to come from these IPs. Most public services and APIs (e.g. time services, open source APIs, etc.) apply a request limit and smart filtering to detect and filter out denial of service (DDoS) and similar attacks. Very frequent queries (e.g., every second) from multiple SIMs towards one endpoint could trigger these filtering mechanisms. This will result in the public service blocking requests from 1NCE SIM devices, rendering the service unusable. Most public services cannot differentiate between individual SIMs due to the 1NCE NAT network structure. It is strongly recommended to program devices with 1NCE SIMs in a way that they do not aggressively query such shared resources. Using customer-controlled resources (e.g. custom server, AWS or similar cloud service), the protection control mechanisms can be configured to whitelist the traffic originating from the 1NCE NAT Breakout.
Updated 2 months ago