1 PathFinder Test Configurations and Best Practices for Mobile Money October 2017 – v1.3 PathFinder Test Configurations and Best Practices for Mobile Money Document: PF_MM_v1.3 October 2017 Security Classification Category (see next page) Restricted Internal GSMA Restricted Members Restricted Associate Members Restricted Public Release
45
Embed
PathFinder Test Configurations and Best Practices for ... · 6 PathFinder Test Configurations and Best Practices for Mobile Money October 2017 – v1.3 1.1 Audience This document
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
PathFinder Test Configurations and Best Practices for Mobile Money
October 2017 – v1.3
PathFinder Test Configurations and Best Practices for Mobile Money
Document: PF_MM_v1.3
October 2017
Security Classification Category (see next page)
Restricted Internal GSMA
Restricted Members
Restricted Associate Members
Restricted Public Release
2
PathFinder Test Configurations and Best Practices for Mobile Money
October 2017 – v1.3
Restricted Information Access to and distribution of this document is restricted to the persons listed under the heading
Security Classification Category. This document is confidential to the Association and is subject
to copyright protection. This document is to be used only for the purposes for which it has been
supplied and information contained in it must not be disclosed or in any other way made
available, in whole or in part, to persons other than those listed under Security Classification
Category without the prior written approval of the Association. The GSM Association
(“Association”) makes no representation, warranty or undertaking (express or implied) with
respect to and does not accept any responsibility for, and hereby disclaims liability for the
accuracy or completeness or timeliness of the information contained in this document. The
information contained in this document may be subject to change without prior notice.
LIST OF TABLES ..................................................................................................................................................... 4
4.7 QUERYTN ..................................................................................................................................................... 26 4.7.1 List Profiles Associated with TNs ............................................................................................................ 26 4.7.2 List TNs in Profiles .................................................................................................................................. 27
4.9 GETTRANSACTIONSTATUS ................................................................................................................................. 28 4.9.1 Display Status of Asynchronous Request ............................................................................................... 28 4.9.2 Unauthorized IP Address ........................................................................................................................ 29
4.10 SET CACHE CONFIGURATION ............................................................................................................................. 29
4
PathFinder Test Configurations and Best Practices for Mobile Money
October 2017 – v1.3
4.11 SET PRIORITY.................................................................................................................................................. 30
5 CONNECTIVITY BEST PRACTICES ................................................................................................................. 32
5.1 CTE CONNECTIVITY OPTIONS FOR IPSEC VPN ...................................................................................................... 32 5.2 PRODUCTION CONNECTIVITY OPTIONS FOR IPSEC VPN .......................................................................................... 33 5.3 PRODUCTION CONNECTIVITY OPTIONS FOR GRX/IPX VLAN ................................................................................... 35
This document provides the information needed to understand and implement the PathFinder Query
Interface (QI). The QI is the information exchange component of PathFinder. It handles real-time
query/response processing when establishing communication sessions between two endpoints.
This document provides the information needed to understand and implement the PathFinder Query
Interface. It includes the following:
A description of the Customer Test Environment and Production Environment;
A step-by-step view of how query data flows through the interface;
An overview of the open source dig tool that lets you test and implement new instances of the interface;
A description of how the Query Interface processes DNS ENUM queries;
A series of examples and test scenarios for DNS ENUM queries that demonstrate various aspect of the interface.
6
PathFinder Test Configurations and Best Practices for Mobile Money
October 2017 – v1.3
1.1 Audience
This document is written for individuals who need to know the configuration and best practices details
of the GSMA PathFinder Provisioning and Query Interface.
1.2 Acronyms
The following table provides a list of acronyms used in this document:
Table 1: Acronyms and Definitions
Acronym Definition
API Application Programming Interface
CTE Customer Test Environment
dig Domain Information Groper
dip Query
DNS Domain Name System
E2U ENUM to URI
ENUM Electronic Numbering Mapping
FQDN Fully Qualified Domain Name
GSMA Global System for Mobile communications Association
GUI Graphical User Interface
IETF Internet Engineering Task Force
IPX IP Packet Exchange
ITU-T International Telecommunication Union – Telecommunication Standardization
Sector
LRN Location Routing Number
MCC Mobile Country Code
MNC Mobile Network Code
MMS Multimedia Message Service
7
PathFinder Test Configurations and Best Practices for Mobile Money
October 2017 – v1.3
Acronym Definition
NAPTR Naming Authority Pointer
NPAC Number Portability Administration Center
NPD Number Portability Discovery
NPDI Number Portability Dip Indicator
PI Provisioning Interface
QI Query Interface
RFC Request for Comment
RR Resource Record
SIP Session Initiation Protocol
SMS Short Message Service
SOA Start of Authority
SPN Service Provider Number
SSL Secure Sockets Layer
TN Telephone Number
URI Uniform Resource Identifier
1.3 Document Conventions
This document uses the following conventions:
Table 2: Document Conventions
Convention Description Example
Italics
Indicates that a term or phrase is being
introduced and that its definition is in the
vicinity (either right before or right after).
The engine is the order
management system.
Constant width
Used to indicate commands, file names, and
file and code samples. Might be emphasized
with bold.
% xterm -sb -title osagent
Italics, Constant
width
Used within command, code, and file
samples. Indicates file names or text that
should be replaced with words or names that
% perl copy2web.prl
<directory>
8
PathFinder Test Configurations and Best Practices for Mobile Money
October 2017 – v1.3
Convention Description Example
are appropriate to the customer's installation
or environment. Might be emphasized with
bold.
AdminPhn=Administrator's
phone number
< > Encloses a directory, file name or other
information that will need to be replaced. The
actual name should not be enclosed within
angle brackets.
D:\<installation root directory>\
Hypertext link
Used to indicate a hypertext link that, if
clicked, will take the user to either an HTML
page or a URL. A default browser must be
specified.
You can find some examples in the
use cases at
http://www.gsmworld.com/oneapi
Notations
A note symbol is used to provide supporting
information that may not be explicitly
addressed in the accompanying text.
NOTE
This symbol indicates supporting
information.
XML Notation It is Neustar standard to represent data
values via Node attributes named "value".
<DSENT value="11-03-2003-
0900AM"/>
1.4 Related Documentation
The following are PathFinder-related documents:
PATHFINDER ADMIN AND CUSTOMER USER GUIDES: provides step-by-step procedures for tasks performed using the PathFinder GUI for Neustar Administrators and Customers;
PATHFINDER PROVISIONING INTERFACE GUIDE: describes the structure and available commands;
PATHFINDER QUERY INTERFACE GUIDE: This Guide which describes the PathFinder environments and how the Query Interface processes DNS ENUM queries;
PATHFINDER CONNECTIVITY AND DEPLOYMENT GUIDE: This Guide summarizes the various options available for connectivity in the customer test (CTE) and production environments for a customer who has subscribed to a PathFinder Query Interface (QI) service, and to provide the sequence for deployment. It also discusses the availability of a Neustar-designed reference Java client to aid customer QI API development.
4.7.1 List Profiles Associated with TNs ..................................................................................................... 26 4.7.2 List TNs in Profiles ........................................................................................................................... 27
4.9 GETTRANSACTIONSTATUS .......................................................................................................................... 28 4.9.1 Display Status of Asynchronous Request ........................................................................................ 28 4.9.2 Unauthorized IP Address ................................................................................................................. 29
4.10 SET CACHE CONFIGURATION ...................................................................................................................... 29 4.11 SET PRIORITY........................................................................................................................................... 30
21
PathFinder Test Configurations and Best Practices for Mobile Money
4 Provisioning Interface API Commands
4.1 DefineDNSProfile
Use the DefineDNSProfile command to create a Profile.
Note: PathFinder lets you specify additional URI Schemes/Services and Attributes in URIs for Profiles. In the PathFinder GUI, the available URI Schemes/Services are shown on the NAPTR tab on the Manage Tier 2 Profile page. The available Attributes are shown on the NAPTR Attributes tab. To request that additional URI Schemes/Services or Attributes be added to PathFinder, contact Customer Support (on page Error! Bookmark not defined.).
4.1.1 Create a Profile
In the following example, the DefineDNSProfile request includes valid URIs:
PathFinder Test Configurations and Best Practices for Mobile Money
5.2 Production Connectivity Options for IPsec VPN
The Production Environment supports live PathFinder customers after they have completed their
testing in the CTE. This environment is designed and operated to meet contractual SLAs as defined in
the Standard Services Agreement between the customer and GSMA.
The primary production connectivity option is via an IPsec Virtual Private Network (VPN).
Note: The term ‘primary’ also refers to recommended traffic distribution. North American customers should route 100% of portability traffic to Ashburn/Denver and split their remote traffic evenly to EUNet (Amsterdam) and Telecity (Amsterdam). International customers should split all their traffic evenly to EUNet and Telecity. Ashburn/Denver can serve as a backup in the case of any issues.
Note: Neustar does not provide technical support for open source VPN software (e.g., Openswan). Further, Neustar can only provide limited technical support for cloud-based web services environments (e.g., Amazon Elastic Compute Cloud). Consequently, Neustar has extended an SSL PKI connectivity option – which should be considered as a last resort option for customers. Using SSL PKI, similar PathFinder NPD query per second throughput can be achieved relative to IPsec VPNs. However, such responses can be expected to be up to twenty percent slower on average.
For ENUM Hosting service, if the result for a TN query is a non-terminal record, PathFinder will
currently not recurse and perform a subsequent query in attempt to discover a terminal answer.
PathFinder will return the non-terminal answer (the delegation information) back to the Customer’s
application client, which is assumed, in turn, to make the subsequent query in order to obtain the
terminal answer. The same will be true for other related queries, such as find the A resource record
associated with a FQDN contained in a response from PathFinder.
Note: For IPsec VPN connectivity, the Customer is responsible for failing over to a
secondary site in the unlikely event of a failure.
Note: CTE is hosted at one site. In the Production environment, there are currently
three Query Interface sites. Each site has multiple query interface applications
running behind a load balancer. The Customer can simply establish an IPsec VPN
connection to get to the site Virtual IP Address used to issue a query.
The service connectivity options for the production environment for IPsec VPN are summarized
below.
Services IPsec VPN
Number Portability Discovery
ENUM Hosting
34
PathFinder Test Configurations and Best Practices for Mobile Money
In order to establish IPsec VPN connectivity to PathFinder’s Number Portability Discovery and/or
ENUM Hosting services, the customer must have an IPsec-capable router or firewall in order to build
LAN-to-LAN (also known as site-to-site VPNs) to Cisco ASA or Juniper firewalls hosted in the
PathFinder nodes. The advantage to this method of connectivity is that the data exchange is over a
secure connection but still over the public Internet. All communications are secured at a minimum
using AES algorithms. As shown in Figure 8 below, an example of a commercial IPsec-capable VPN
device could be a Juniper SSG or others from vendors like CheckPoint, Cisco, Fortinet and Sonicwall.
For any clarifications or questions regarding the VPN requirements/devices supported, please
contact your Account Executive and/or Deployment Manager at Neustar.
Note: Due to these VPN requirements, the customer must provide a Public IP
address to Pathfinder Support for both the VPN peer and the Encryption Domain of
the customer’s VPN. Elastic IP and RFC 1918 addresses are not supported.
Customers using RFC 1918 addresses will need to employ source NAT to a public
address before traffic enters into the VPN tunnel.
Figure 2: Sample IPsec VPN Connectivity Diagram
The IPsec VPN device should minimally support the following:
Tunnel mode SHA hash
3DES encryption ISAKMP
Site to site VPN Pre-Shared Keys
A sample list of LAN-to-LAN IPsec-compatible devices includes:
Internet
Customer Equipment
(ENUM Query)
Customer
VPN Device
(e.g., Netscreen)
Pathfinder ENUM
Server
Neustar
VPN Server (Juniper SSG)
Sample VPN Connectivity
Diagram
35
PathFinder Test Configurations and Best Practices for Mobile Money
CheckPoint R7x,
Fortinet Fortigate-200A
Juniper SSG5, SSG140, ISG-
1000
Juniper SRX240, SRX550
Cisco ASA 5500-X
Cisco IOS router (k9 crypto version)
Sonicwall NSA series
Note: This list is not meant to be exhaustive by any means as models and vendors change frequently with new devices coming to market regularly.
Where geographical resiliency in Production is required, the customer needs to implement
additional VPN connections to secondary sites. ENUM queries may be sent to all active PathFinder
query nodes, however if one is “unreachable”, the customer (ENUM client) is responsible for re-
directing queries to an alternative query node. In Production, there are currently three active QI
nodes to which the customer can connect.
Note: Although UDP and TCP are supported over an IPsec VPN connection, Neustar
recommends using UDP instead of TCP as TCP has connection overhead (see also
Chapter 2).
5.3 Production Connectivity Options for GRX/IPX VLAN
Note: IPX, or Internet Protocol Exchange, is a telecommunications interconnection
model for the exchange of IP-based traffic between customers of separate mobile
and fixed operators, as well as other types of service providers via an IP-based
Network-to-Network Interface. IPX was developed by GSM Association.
PathFinder’s NPD and ENUM Hosting services are also accessible via a GRX/IPX VLAN. The GRX
(Global Roaming Exchange) provides a private IP network, name space, address space and routing
between members of the Global Roaming Exchange and provides signaling transport between them.
In order to establish GRX/IPX connectivity, the PathFinder customer needs to have a presence in the
GRX/IPX cloud directly or via GRX/IPX providers who will establish the connectivity for the
PathFinder customer. With GRX/IPX connectivity, it is no longer the responsibility of the Customer to
failover to a secondary site whenever the primary site is “unreachable” as it is automatically taken
care of by the system design in the GRX/IPX environment.
For ENUM Hosting, each of the Customer’s host servers must be visible and routable over the
GRX/IPX VLAN. A Zone Transfer mechanism is available to the Customer to download and locally
store the Tier 0 data. It is the Customer’s responsibility to set up a recursive server for resolving the
NAPTR RRs into routable IP addresses as required.
36
PathFinder Test Configurations and Best Practices for Mobile Money
The service connectivity options for the production environment for GRX/IPX VLAN are summarized
below.
Services GRX/IPX VLAN
Number Portability Discovery
ENUM Hosting
37
PathFinder Test Configurations and Best Practices for Mobile Money
APPENDIX A: AWS VPN GUIDELINE AND OPENSWAN CONFIGURATION
If you are connecting through AWS with an open source vpn, then the following serves as a useful reference.
Note: Note: Neustar does not provide technical support for open source VPN software (e.g., Openswan). Further, Neustar can only provide limited technical support for cloud-based web services environments (e.g., Amazon Elastic Compute Cloud).
1. In AWS launch a RHEL AWS instance
Services => EC2 => Launch an instance
38
PathFinder Test Configurations and Best Practices for Mobile Money