Internet Breakout

Default Internet accessibility with a 1NCE SIM.

Structure diagram of the 1NCE Internet Breakout.

The default connectivity for a 1NCE SIM is achieved through the Internet Breakout Service. All devices with a 1NCE SIM can connect freely to services hosted in the public internet space. The Figure above illustrates the basic operation principle of the 1NCE Internet Breakout. Please note that the IPs listed in the Figure are just example placeholders.

Network Address Translation

By design, this internet access is implemented with Network Address Translation (NAT). The NAT maps the private SIM-IP to commonly used public 1NCE breakout IP. This network design simplifies IP space management and enhances the access security of connected IoT devices. As a result, devices with a 1NCE SIM cannot be directly accessed from the public internet side, thus improving the resilience against external attacks and threads targeting the IoT devices.

Using the 1NCE Internet Breakout, the connection establishment is unidirectional (e.g., SIM towards server/service), while data transfer over an already established connection is bidirectional (e.g., SIM towards server/service and server/service towards SIM). The flow of the 1NCE Internet Breakout is shown in the sequence diagram below. Bidirectional connection establishment can only be achieved using the 1NCE VPN Service.

Sequence diagram of the 1NCE Internet Breakout.

Data Protocols

The concept of the Open Systems Interconnection model applies to the 1NCE Data Service structure. The GPRS Tunneling Protocol (GTP) is used on layer 3 to transfer user application data between the device with a 1NCE SIM and the internet or application server and vice versa. All the data traffic is wrapped in the GTP, on top of this protocol (layer 4+) the customer is free to use any transport protocol (e.g., TCP, UDP, MQTT, CoAP, etc.) and any port assignment.

Domain Name System (DNS)

The Domain Name System (DNS) is used to resolve Uniform Resource Locators (URL) to an addressable IP. When using the 1NCE Internet Breakout, the public IP is served as primary and as secondary default Domain Name Server. A manual configuration of a DNS on the device is typically not needed but can be configured, if desired.

Maximum Transmission Unit (MTU) Size

The Maximum Transmission Unit (MTU) is the size of the largest IP packet (layer 4) possible which can be transferred in a respective frame on layer 3 without the need for fragmentation in the packet based core network. If a send packet is larger than the specified MTU, the packet needs to be fragmented, thus creating more overhead and delays.

Theoretically, a size of 1500 bytes is possible with the 1NCE Data Service. Based on prior experience with IoT devices and mobile networks, it is recommended to keep the MTU size lower than about 1200 bytes.

Internet Breakout Timeout

After 350 seconds of no data packets being transmitted, a established connection via the 1NCE Internet Breakout will be closed automatically. To keep the connection alive within 350 seconds a IoT device must send a keep-alive packet at least once in the 350-second timeframe. Otherwise, the 1NCE SIM device must re-establish the connection after this timeout.

Breakout IP Blacklisting

The traffic from all 1NCE SIMs towards the public internet is routed through a NAT with a couple of public-facing IP addresses. These public breakout IPs are listed in the 1NCE Portal in the Configuration tab.


Whitelist 1NCE Breakout IPs

Ensure that the 1NCE Internet Breakout IPs (see 1NCE Portal>Configuration) are whitelisted for custom service infrastructure accessed by 1NCE SIMs through the Internet Breakout. Large quantities of SIMs accessing the same service can lead automated firewall and protection mechanisms to block the 1NCE Breakout IPs.

All requests towards public internet services appear to come from only these few IPS. Most public services and APIs (e.g. time services, open source APIs, etc.) apply a request limit and smart filtering to detect and filter out denial of service (DDoS) and similar attacks. Very frequent queries (e.g., every second) from multiple SIMs towards one endpoint could trigger these filtering mechanisms. This will result in the public service blocking requests from 1NCE SIM devices, rendering the service unusable. Most public services cannot differentiate between individual SIMs due to the 1NCE NAT network structure. It is strongly recommended to program devices with 1NCE SIMs in a way that they do not aggressively query such shared resources. Using customer-controlled resources (e.g. custom server, AWS or similar cloud service), the protection control mechanisms can be configured to whitelist the traffic originating from the 1NCE NAT Breakout.

Did this page help you?