search
        about       site index  
 
    UMA Devices
      Dual-Mode Handsets
      Femtocells
      Terminal Adaptors
      Softmobile
      Device Platforms
      Client Software
      Test Tools
    UMA Infrastructure
      Network Solutions
      Network Components
      Monitor/Test Tools
    Services
      Consultants
UMA Products
UMA Infrastructure >> Network Components>> Acme Packet Net-Net MSG
 
 
Acme Packet
Net-Net MSG
 

The Net-Net Multiservice Security Gateway (MSG) securely connects subscribers to their mobile voice and data services over untrusted hybrid wireline/wireless access networks using IPsec tunnels. It fulfulls the requirement of a 3GPP UMA Security Gateway (SeGW) and is available on three hardware platforms: the Net-Net 4000 series, the Net-Net 9000 series, and the Net-Net 4000 ATCA blade.

Acme Packet's carrier-class Net-Net MSG is designed to:

  • Enable wireless service providers to maximize revenues and minimize costs by accelerating fixed-mobile substitution and by enabling service and core network convergence
  • Extend service reach to wireless endpoints over untrusted networks-femtocell/WLAN access networks and Internet backhaul
  • Provide the secure bridge to rich, interactive, multimedia IMS and SIP-based applications accessed over both wireless and fixed networks by residential and enterprise subscribers
     

Acme Packet's Net-Net Multiservice Security Gateway features several significant technical advantages that maximize system capacity and performance, ensure non-stop service availability, enable flexible deployment options and minimize costs.

Industry-leading IPsec tunnel system capacity and density
 Net-Net MSG configurations are supported on three platforms which scale from 128,000 to 1 million tunnels per system. These platforms support up to 256K tunnels per rack unit and over 12 million tunnels per 7 foot telco rack in high availability system configurations, minimizing capital and operating expenses.

High performance IPsec processing architecture
Two-levels of hardware acceleration enable extremely fast IPsec tunnel set-up and wirespeed IPsec traffic encryption/ decryption without impacting SIP signaling or media control, or traffic forwarding performance.

Integrated, hardware-software-based DoS/DDoS protection
Acme Packet's proven SIP session and layer 3 / 4 protection capabilities in large tier 1 access SBC deployments have been extended to defend against IPsec-related attacks and control overloads.

Carrier-class high availability (HA) support
Acme Packet's proven, stateful HA capabilities have been extended to support transparent, "hitless" failover for IPsec's IKE Security Associations and tunnels to ensure uninterrupted service.

Virtualized MSG functions
 Acme Packet's proven SBC virtualization capabilities have been extended to support multiple, separate logical functions within a single physical system. Virtualization enables service providers to use a single system to support multiple services- I-WLAN and UMA, residential and enterprise, retail and wholesale, or multiple mobile virtual network operator (MVNO) customers -minimizing capital and operating expenses.

Key functions and features

Capacity & performance

  • IPsec tunnel capacity from 128K to 1M per system
  • Hardware-accelerated IPsec tunnel-set-up
  • Hardware-accelerated IPsec traffic encryption/decryption

Authentication

  • IPsec IKEv2 tunnel set-up - Diffie Hellman, PFS and pre-shared key
  • DIAMETER/RADIUS server authentication via 3GPP Wm interface, support for EAP-SIM, EAP-AKA, PEAP-MSCHAPv2, EAP-MSCHAPv2, EAP-MD5
  • Diffie Hellman Groups 1, 2, 4 & 5
    X.509v3 certificate support
    Certificate revocation list (CRL) support
  • Multiple root certificate authorities with separate trust chains

Encryption and data integrity algorithms

  • Encryption ­ 3DES, AES-CBC (128 & 256 bit), AES-CTR (128 & 256 bit), DES, NULL
  • Data integrity ­ HMAC-SHA1 and HMAC-MD5

DoS / DDoS protection

  • MSG DoS/DDoS self-protection
  • IKE-SA-INIT IKE_SA_INIT & IKE_AUTH flood attack protection
  • IMSI, IUEI and USIM awareness / black listing / white listing
  • IKEv2 cookie support
  • Tunnel IP address spoofing protection
  • L3 / L4 attack protection

Service reach maximization

  • Virtualization ­ support for multiple logical
  • MSGs in single physical system
  • UDP encapsulation for NAT traversal
  • IP address allocation - via local address pools or RADIUS VSAs
  • UNC interface
  • Static IP routing for packet data to separate VLANs or GTP tunnels

High availability

  • Fast IPsec tunnel resumption
  • RADIUS / DIAMETER authentication server load balancing and overload protection
  • Stateful SA failover for established IKE SAs

Management

  • Tunnel management ­ IVEv2 SA re-keying
  • IKEv2 SA event logging
  • Endpoint connectivity detection and tunnel teardown
  • Deletion of tunnels
  • Alarm for exhaustion of GGSN IP address pool
  • Threshold crossing alerts
  
© 2009 umatoday.com		   
Home | About | Search | | Legal | Privacy | Site Index