IP Site Connect

Introduction

IP Site Connect allows the connection of up to 15^[1] MOTOTRBO repeaters, to create a wide area radio network covering all locations. In this mode, repeaters across dispersed locations exchange voice and data packets over an IPv4-based back-end network. This IPv4 network could be the internet; a dedicated microwave link or a leased line provided by a telecommunications network operator.

MOTOTRBO Radios that operate on an IP Site Connect network, use roaming to ensure the repeater channel with the best signal is always used. The roaming functionality in the radio changes the operating frequencies (channel) automatically, so there is no need for the user to change channels to stay in range.

Using IP Site Connect, it is possible toː

• Increase the coverage area of a MOTOTRBO system.
• To provide voice and data communication between two or more locations located that are far apart.
• To provide voice and data communication between two or more MOTOTRBO systems operating in different frequency bands (e.g. one system could be VHF and the other UHF).

The backend network of an IP Site Connect system is designed to work seamlessly with internet connectivity provided by an Internet Service Provider (ISP) or an IP connection using a dedicated microwave or fiber optic link. The system only requires that one of the repeaters have a static IPv4 or DNS address, while the others can use dynamic IP addresses. Also, the system avoids the need for reconfiguration of a customer’s network such as reprogramming of firewalls.

When a new call starts on one of the logical channels of a repeater, the repeater sends the call to all the repeaters which in turn repeat (retransmit) the call on the corresponding logical channel. This allows a radio in the coverage area of any repeater to participate in the call. Thus, the coverage area of an IP Site Connect system is the sum of the coverage areas of all the repeaters.

Note that an IP Site Connect configuration does not increase the capacity (number of calls per hour) of the system. This means that the capacity of one Wide Area Channel (slot) of an IP Site Connect system is the same as that of a single repeater working in digital repeater mode. In an IP Site Connect configuration, MOTOTRBO radios support all the features that they already support in single site mode.

The IP Site Connect configuration of MOTOTRBO does not require any new hardware besides backend network devices such as routers. If a customer has multiple MOTOTRBO systems working in digital repeater mode at dispersed sites and wants to convert them into an IP Site Connect system, they only need to be connected to an IPv4-based backend network.

It is possible to configure a repeater such that:

• Both logical channels (slots) work in IP Site Connect mode (over wide area).
• Both logical channels work in digital repeater mode (single site over local area).
• One of its logical channels works in IP Site Connect mode (over wide area) and the other logical channel works in digital repeater mode (single site over local area).

IP Site Connect has three security features thatː

1. Provides the confidentiality of voice and data payloads by extending the privacy feature, whether Basic or Enhanced, or Advanced Encryption Standard (AES), to cover the communication over the backend network.
2. Ensures that all the messages between repeaters are authentic.
3. Supports Secure VPN (Virtual Private Network) based communication between the repeaters for customers needing higher level of security (protection against replay attack).

IP Site Connect provides a means to remotely manage repeaters. The tool used for this is called RDAC and it receives alarms from all the repeaters, helps in diagnosis of repeaters, and provides some controls over the repeaters.

Wide Area and Local Area Channels

In some literature, reference is made to Wide Area and Local Area Channels. A Wide Area Channel refers to a timeslot (either timeslot 1; timeslot 2 or both) on any repeater that is linked to other Wide Area Channels in the same system. If a radio user transmits on a Wide Area Channel, their voice (or data) is relayed on the same slot of all wide area repeaters.

A Local Area Channel refers to a timeslot on a repeater that is not linked to other repeaters. If a radio user transmits on a Local Area Channel, their voice or data will only be repeated on that repeater/site. Management traffic for that repeater is still exchanged with the Master repeater and with RDAC. If an application that uses the NAI Voice/Control and/or NAI Data CfS licenses, then it is possible for voice and/or data to travel from a Local Area Channel to the application. The above diagram illustrates the concept of Wide Area and Local Area Channels. Here, a 5-site IPSC system is set up with both wide are and local area channels (slots). Both slots 1 and 2 are Wide Area Channels on Repeaters 1 to 3. Whereas on repeater 4, only slot 1 is Wide and on repeater 5, only slot 2 is Wide. Both slot 2 on Repeater 4 and slot 1 on repeater 5 are Local Area Channels and voice/data transmitted on them, will not be relayed to the other repeaters and only repeated locally as if the repeater were a standalone unit.

Summary of features

MOTOTRBO IP Site Connect supports the following features:

Voice Features	Signaling Features	Emergency Handling	Data Calls	Other Features
Group Call	PTT-ID and Aliasing	Emergency Alarm	Text Messaging	Two Wide Area Channels (Slots 1 and 2)	Remote Diagnosis and Control
Private Call	Radio Inhibit	Emergency Alarm and Call	Location Tracking	Mix of Local and Wide Area Channels (Slots)	RDS Web Pages[2]
All Call	Remote Monitor	Emergency Alarm with Voice to Follow	Telemetry	Scan	Roaming
DTMF	Radio Check	Emergency Revert per Site	Third-Party Applications	Polite to All System Access	Wide Area Coverage
Voice Interrupt	Call Alert	Emergency Voice Interrupt	GPS Revert per Site	Polite to Own System Access	Time-out Timer
Digital Telephone Patch	Remote Voice Dekey	Emergency Remote Monitor	Data over Voice Interrupt	Impolite Channel Access	Privacy

Typical IP Site Connect System Topologies

An IP Site Connect system allows repeaters at different locations to exchange voice, data, and control packets over an IPv4-based backend network. The potential applications of this mode include:

• Connecting two or more dispersed locations such as two manufacuring facitlties in different towns. can be connected using MOTOTRBO repeaters in IP Site Connect mode.
• Building a larger or more effective RF coverage area. For example, multiple repeaters installed in an amusement park or a high-rise building can be connected to provide a contiguous area of RF
• coverage. The need for multiple repeaters may stem from any combination of geography (distance or topographical interference problems) and in-building or cross-building RF penetration issues.
• Broadcasting announcements to all sites. This is useful in case of emergency or special events.
• Connecting repeaters operating in different RF bands. For example, repeaters operating in UHF (UHF-1 and UHF-2) or VHF frequencies can be combined so that voice or data from one system flows into another.
• Connecting to IP-based applications. IP Site Connect mode allows the customers to connect to third-party IP-based dispatch consoles, or call logging and recording applications, or routing calls to/from IP-based phones.

IP Site Connect Systems can consist of the following topologies:

• A wide area system with a centralized data application server.
• Wide and local area systems with distributed data application servers.
• Multiple wide area systems with a centralized data application server.

Wide Area System with Centralized Data Application Server

This basic topology (shown below) is a single wide area system that consists of multiple single repeater systems operating in digital mode and zero or more Application Servers connected over a back-end network that supports IPv4, where:

• A repeater system consists of a fixed digital repeater, digital radios (with or without an accessory or a data terminal), and two conventional physical channels. Only one of the repeaters, which is called the Master, has an additional role in the IP Site Connect mode. This additional role involves brokering of UDP/IP address and states of repeaters.
• A radio uses one slot of a pair of frequencies (that is, inbound and outbound) to communicate with its repeater. The pair of frequencies and/or the color code used by repeaters are not necessarily the same. Their frequencies may be in different frequency bands. The geographically adjacent repeaters have different frequencies. Two repeaters with the same frequency must be separated by a suitable distance to minimize interference and must use unique color codes.
• An Application Server is a PC-like equipment where one or more application runs. An application can be a data application such as a Location Server, Text Message Server or a voice application such as a Console. An Application Server is connected to one or two Control Stations, and these Control Stations are connected over-the-air to a repeater. If the configuration has more than one Control Station, then the Application Server should have the MCDD software installed. A third-party application can reside on an Application Server and since the Application Server is connected to Control Stations (one per logical channel), the application is not required to implement any third party API that partially emulates the behavior of a MOTOTRBO repeater and radio.
• The back-end network can be a dedicated network or most probably an Internet provided by an Internet Service Provider (ISP). ISPs provide a range of technologies such as dial-up, DSL (typically, ADSL), cable modem, broadband wireless access, ISDN, Frame Relay, Satellite Internet access, and others. The back-end network cannot be based on a dial-up connection (due to small bandwidth) or Satellite Internet access (due to large delay). The IP Site Connect configuration does not require an ISP to provide a non-varying (static) IPv4 address except for the Master repeater. A repeater can be behind a firewall and/or a router and/or a NAT. A repeater has USB and Ethernet network interfaces. The USB is used for connecting a local PC and Ethernet is used for connecting to the back-end network of an IP Site Connect system.

For details on data communication with applications through the repeater network interface instead of a control station, see MOTOTRBO Network Interface Service (MNIS) and MOTOTRBO Device Discovery and Mobility Service (DDMS).

There may be an application known as RDAC-IP running on a host PC connected to the backend network of an IP Site Connect system. The application displays the status of repeaters and allows its user to control some of the parameters of a repeater. The host PC maintains its link with the Master and other repeaters using the same protocols as other repeaters in an IP Site Connect system.

Note that there may be a local RDAC application running on a host PC connected to a repeater through RNDIS-USB interface. Also, analog, and local area only repeaters can be connected to wide area system so that they may be managed by the RDAC application.

In digital mode, MOTOTRBO offers two logical channels. The configuration above shows both the channels acting as wide area channels. This means that when a call starts at one of the logical channels of a repeater, that repeater sends the call to all the other repeaters and they repeat the call on their corresponding logical channel. Since calls are not repeated on both logical channels, a radio on a logical channel cannot participate in a voice call on the other logical channel or logical channels of other IP Site Connect systems unless scan is utilized. Note that scanning cannot be enabled while roaming. Radio to radio data messages are not repeated on both slots either, although it is possible to support one Application Server to serve multiple wide area channels.

The Application Server interfaces with the wide area channels in the same way as it interfaces with the local area channels. This is described in Server Based Data Applications in Repeater Mode.

Wide and Local Area Systems with Distributed Data Application Servers

It is possible that one of the logical wide area channels of the repeaters is configured for local communication only. In this case, each site has its own logical channel for local communication. This is useful in case a customer need a significant load of local communication. This configuration offloads the local communication from the wide area channel.

The below diagram shows an example of such configuration in which one of the logical channels (say, slot 2) is used in IP Site Connect mode (wide area) and the other (slot 1) is used in digital repeater mode (local area). The calls originating on slot 1 are not sent to other repeaters. A customer should use slot 1 for local groups whose members are expected to be present in the coverage area of the repeater; and slot 2 for groups whose members are distributed over the coverage area of multiple repeaters.

The data messages sent over local channel 1 are not delivered to the Application Server 1 and therefore, if required, each geographical location should have their own Application Server with their own Presence Notifier. When a radio manually roams (changes dial positions) between a local area channel and a wide area channel, the radio registers with its respective Presence Notifier. To facilitate this, the radio ID of the control stations should be configured to be the same.

If a customer requires more local capacity at a location then it is possible to add more repeaters working in Single-Site configuration and all the local slots of all the repeaters can share the same Application Server. In that case, the radios on the local channel are not be able to communicate with the wide area channels’ Application Server.

For details on data communication with applications through the repeater network interface instead of a control station, see MOTOTRBO Network Interface Service (MNIS) and MOTOTRBO Device Discovery and Mobility Service (DDMS).

Multiple Wide Area Systems with a Centralized Data Application Server

If a customer requires more wide area capacity, then it is possible to add another set of repeaters working in IP Site Connect mode. It is possible for the repeaters to share the same Application Server, as shown below. In this case, the repeaters at a location may share the same link to the backend network. The bandwidth required for communication through the back-end network should take this into consideration. See Back-End Network Design for further details.

If a customer requires more wide area capacity for location data, then it is possible to use one or more wide area channels as GPS Revert Channels. The GPS Revert Channel behavior of radios in IP Site Connect mode is the same as the radios behavior in digital repeater mode with the exception that the GPS is sent unconfirmed on a wide area channel.

IP Site Connect IP Networking

The IP Site Connect topologies described in the previous sections can reside on a range of backend network configurations and technologies. Logical connections between the wide area channels can all reside on the same physical network. The actual network topology chosen usually driven by the repeater’s physical location and the network connectivity available at that location. The Network Topologies can be broken up into two basic configurations:

• Local Area Network Configuration
• Wide Area Network Configuration

Customers that have high capacity network connectivity throughout their organization usually have a desire to utilize their existing network for wide area connectivity. IP Site Connect supports the following technologies:

• Private LANs
• Corporate LANs
• Private Wireless Systems

Exact configurations of Local Area Networks can vary greatly. As long as the devices are on the same network, or have access to other networks through an internal router or NAT configurations, the IP Site Connect system will operate correctly. It is also assumed that in these local configurations that bandwidth is not an issue. Nevertheless, it is important for the system installer to understand the bandwidth that each IP Site Connect devices require in order to operate optimally.

The below diagram shows a simple diagram of IP Site Connect devices located at different sites connected through a local area network. Note that in this drawing the IP Site Connect devices could be in one or more Wide Area Systems (more than one Master), could contain local area channels or even be an analog repeater, a disabled repeater, or RDAC IP application. Only the repeaters acting as Masters require a local static IPv4 address, or a static DNS address, that is mapped to a dynamically assigned IPv4 address. The other IP Site Connect devices use this local static IPv4 address or a static DNS address, to establish their link with the wide area system.

The largest benefit of IP Site Connect is the ability to connect sites over public Internet Service Provider (ISP) links as well as private high speed connections. ISPs provide a range of technologies with varying bandwidth. IP Site Connect supports the following technologies (as long as the requirements listed in the backend Network Considerations section are met):

• Private E1
• DSL (typically ADSL)
• Cable Modem
• Broadband Wireless Access.

IP Site Connect does not support dial-up connections (due to small bandwidth) or Satellite Internet access due to large and unpredictable delay. When utilizing public Internet connections, it is important that the system installer understand the bandwidth and delay that each IP Site Connect device requires in order to operate optimally. They must also understand the details (bandwidth and delay) of the network link at each site and between sites. For example, if connecting sites have long distances between them, the delay of the entire link needs to be considered. Spanning continents connected via Satellite may introduce unacceptable delay. But, if the continents are connected via fiber optic there may not be any issues.

Also keep in mind that because traffic from one repeater is sent to every repeater, the required bandwidth of the ISP link at one site is a function of the amount of other repeaters in the system. Adding a repeater will increase the required bandwidth at all sites.

A repeater can be (and is suggested to be) behind a router and/or a NAT and/or a firewall. Although not required, it is highly suggested in order to protect against the undesired solicitations common over the public Internet. Although IP Site Connect will work through most off-the-shelf devices, the following router/NAT/firewalls are also known to work sufficiently.

As previously described, peer-to-peer communications over the network can be optionally authenticated and are also encrypted end-to-end if enabled in the radios. If this is not considered sufficient for a particular customer, IP Site Connect supports the ability to work through a Secure VPN (Virtual Private Network). Secure VPN is not a function of the IP Site Connect device but rather of the router. It is important to note that VPN does add the need for additional bandwidth and may introduce additional delay. This should be taken into consideration in bandwidth planning. The Linksys 4 Port Gigabit Security Router with VPN: Model RVS4000 is suggested for use.

Only the repeaters acting as Masters require a publicly accessible static IPv4 address from the Internet Service Provider. The other IP Site Connect devices utilize this publicly accessible static IPv4 address to establish their link with the wide area system. In addition, the router/NAT/firewall connected to the Master require some configuration (open port) so that unsolicited messages from other repeaters can reach the Master repeater. The repeaters acting as Masters can also be configured with a dynamically assigned IPv4 address, as long as this address is associated with a static DNS address.

Anytime the IPv4 address for a Master changes, then the DNS server must be updated with the new address. The DNS Server utilized by all of the IP Site Connect devices must have an accurate IPv4 address for the Master. If the IPv4 address becomes invalid on the DNS Server, the IP Site Connect devices will NOT be able to establish their link with the wide area system and/or may lose an existing link. Once the IPv4 address for the Master is valid again on the DNS Server, the devices will be able to link to the wide area system again. It is the job of the entity assigning the IPv4 address to the Master to also update the DNS Server with the updated IPv4 address. It should be noted that this feature is only available on SLR Series Repeaters.

The following diagram shows a simple diagram of IP Site Connect devices located at different sites connected through a wide area network. Note that in this drawing the IP Site Connect devices could be in one or more Wide Area Systems (that is, more than one Master), could contain local area channels or even be an analog repeater, a disabled repeater, or RDAC IP application.

Wide and Local Area Network Configuration

Most network topologies are a combination of both Local and Wide Area network configurations.

For example, there may be a need to link two or more sites with existing local networks together over a public ISP, or maybe link one or more remote mountain RF site into a corporate network. When doing this, there are a few extra precautions to consider that are not covered here.

The number of IP Site Connect devices connected together behind a single wide area connection (that is, behind one router) can have a large effect on the required bandwidth of the wide area link. The bandwidth requirements of a wide area link are the summation of the bandwidth requirements of all IP devices behind the router. In other words, if there are three IP Site Connect devices utilizing a single ISP link, it must have enough bandwidth to support all three.

The traffic from one repeater is sent to every repeater; therefore the required bandwidth of the ISP link at one site is a function of the amount of other sites in the system. Adding a repeater at one site increases the required bandwidth at all sites.

Similar to the Wide Area Network configurations, the repeaters acting as the Master will require a publicly accessible static IPv4 or DNS address from the Internet Service Provider. The other IP Site Connect devices utilize this publicly accessible static IPv4 or DNS address to establish their link with the wide area system, not a local IPv4 address. This is true even for the IP Site Connect devices that are located on the same Local Area Network as the Master.

Again, similar to the Wide Area Network configurations, the router/NAT/firewall connected to the Master requires some configuration (open port) so that unsolicited messages from other repeaters can reach the Master repeater. To support the ability for the IP Site Connect devices to communicate to other devices on its LAN using the WAN IPv4 address, the routers on those WANs must support a feature referred to as “hairpinning”. Hair-pinning is returning a message in the direction it came from as a way for it to reach its final destination. This is per the router standard RFC 4787.

The following diagram shows a simple diagram of IP Site Connect devices located at different sites connected through a mix of local and wide area networks. Note that in this drawing the IP Site Connect devices could be in one or more Wide Area Systems (more than one Master), could contain local area channels or even be an analog repeater, a disabled repeater, or RDAC IP application.

Back-End Network Design for IP Site Connect

To create a proper back-end network design, it is important to know its characteristics. There are four aspects of an IP network that one must consider:

1. Latency
2. Jitter
3. Packet Loss
4. Bandwidth

If any one of these is not in order, the system will perform poorly or may fail altogether.

Delay/Latency

Back-end network delay or latency is characterized as the amount of time it takes for voice to leave the source repeater and reach the destination repeater. Three types of delay are inherent in the back-end networks:

• Propagation delay
• Serialization delay
• Handling delay

Propagation delay is caused by the distance a signal must travel via light in fiber or as electrical impulses in copper-based networks. A fiber network stretching halfway around the world (13,000 miles) induces a one-way delay of about 70 milliseconds.

Serialization delay is the amount of time it takes the source repeater to actually place a packet byte by byte onto the back-end network interface. Generally, the effect of serialization delay on total delay is relatively minimal but since IP Site Connect system sends a voice packet one-by-one to all the repeaters, the serialization delay for the last destination repeater is (# of repeaters - 1) times the serialization delay for the first destination repeater.

Handling delay defines many different types of delay caused by the devices (for example, secure routers) that forward the packet through the back-end network. A significant component of the handling delay is the queuing delay, which occurs when more packets are sent out to a network device than the device can handle at a given interval.

The CPS allows setting the Total Delay (that is sum of propagation delay, serialization delay, and handling delay) to be High (90 ms) or Normal (60 ms) in both the repeaters and the radios. Note that radios also support higher value (500 ms) of total delay, which should not be used in case of IP Site Connect system. The default is Normal. This is used to derive values for other parameters such as Arbitration Interval and Call Hang Times in repeaters and Ack Wait times in radios. For proper functioning of an IP Site Connect system, all the repeaters and radios should have the same delay setting.

It is recommended that propagation and handling delays between repeaters should be measured (for example, by “pinging”) between all pairs of repeaters. The total delay is equal to the maximum of the measured values + (# of repeaters - 1) * (1/2 + 1000/BW in kbps) ms, where the BW is the available bandwidth of the back-end network.

If the total delay is less than 60 ms then the setting should be Normal. If the total delay is more than 60ms but less than 90 ms then the setting should be High. The IP Site Connect system will not work satisfactorily, with occasional failure of arbitration, hang time and data link layer acknowledgments, for a back-end network having total delay of more than 90ms. The disadvantage of the setting at 90ms is that there is an increase to audio throughput delay.

Jitter

Jitter is the variation of packet inter-arrival time. The source repeater is expected to transmit voice packets at a regular interval (that is every 60 ms for one channel). These voice packets can be delayed throughout the back-end network and may not arrive at that same regular interval at the destination repeater. The difference between when the packet is expected and when it is actually received is called Jitter.

To overcome the effect of jitter, the IP Site Connect system employ a Jitter Buffer of fixed 60 milliseconds. If a packet does not arrive at a destination repeater within the 60 ms after the expected time then the repeater assumes the packet is lost, replays a special erasure packet, and discards the late arriving packet. Because a packet loss affects only 60 ms of speech, the average listener does not notice the difference in voice quality. Thus, a jitter of more than 60 ms degrades the audio quality.

Packet Loss

Packet loss in IP-based networks is both common and expected. To transport voice bursts in timely manner, IP Site Connect system cannot use reliable transport mechanisms (that is confirmed packets) and therefore while designing and selecting the back-end network it is necessary to keep packet loss to a minimum. The IP Site Connect system responds to periodic packet loss by replaying either a special packet (in the case of voice) or the last received packet (in the case of data). In the case of voice, the ongoing call ends if six consecutive packets do not arrive within 60 ms of their expected arrival time. In the case of data, the repeater waits for the expected number of packets (as per the data header) before ending the call.

Network Bandwidth

Bandwidth is the amount of data transferred to and from a network device, often referred to as the bit rate. Bandwidth is measured in bits per second or kilo-bits per second (kbps). When designing an IP Site Connect system, it is important to understand the needs of each IP Site Connect device so that the appropriately rated network connection for each site can be chosen.

If a customer has high speed network connections between sites, these calculations may not be as important, but if they are working on lower speed public Internet Service Providers (ISPs) it is good practice to understand these values and plan accordingly. If the minimum amount of bandwidth is not available, the end user may experience audio holes or even dropped calls. Radio to Radio Data messaging or RDAC commands may not be successful on the first attempt, or may be dropped all together. In general, the quality of service may suffer if substantial bandwidth is not available.

Note that for most Internet Service Providers, the uplink bandwidth is the limiting factor. The downlink bandwidth is usually multiple factors above the uplink bandwidth. Therefore, if the uplink requirements are met, the downlink requirements are almost always acceptable. Some ISPs may state they provide a particular bandwidth, but it is important to verify the promised bandwidth is available once the system is installed and throughout operation. A sudden decrease in available bandwidth may cause the previously described symptoms.

It is also important to note that if the wide area network connection is utilized by other services (file transfer, multimedia, web browsing, and other), then the IP Site Connect devices may not have the appropriate bandwidth when required and quality of service may suffer. It is suggested to remove or limit these types of activities. In addition, overusage of the RDAC application itself may cause increased strain on the network during times of High Voice activity. It is recommended that RDAC commands be kept to a minimum unless appropriate bandwidth has been allocated.

Required Bandwidth Calculations for IP Site Connect

The amount of bandwidth an IP Site Connect device requires is dependent on a of variety factors. The most important factor to understand is that the bandwidth required for one particular device is dependent on how many other devices or peers it has in the IP Site Connect system. Equally important is the type of devices.

An IP Site Connect system can contain repeaters that have two channels operating in wide area, one channel operating in wide area, or no channels operating in wide area, such as local channels only. Channels, or slots, operating in local area mode do not send their voice traffic over the network. Recall that one repeater within the IP Site Connect system acts as the Master. This repeater requires some additional bandwidth. The IP Site Connect system may also contain repeaters, disabled repeaters, and RDAC applications. These devices do not send voice over the network, but they do require the bandwidth to support the standard link management and control signaling.

For a quick reference, the below graphs show the required bandwidth for two simple IP Site Connect system configurations. The first shows the required bandwidth for various size systems where every repeater in the system utilizes both channels, or slots, as wide area. The second shows the required bandwidth for various size systems where every repeater in the system utilizes one channel, or slot, as wide area, and the other channel, or slot, as local area. In each system, one RDAC is present, repeater authentication is enabled, and Secure VPN is not being utilized in the routers.

Note that although the two examples above may represent typical IP Site Connect configurations, and may provide a quick snapshot of the bandwidth requirements for a particular size system, more complicated configurations require additional calculations. The following equation should be used to calculate the bandwidth for each IP Site Connect device in the IP Site Connect system, and then added together at sites where multiple devices reside behind one wide area connection.

BW_ST = (N_P1*BW_VC)+(N_P2*BW_VC)+((N_P1+N_P2)*BW_LM)+(M*BW_IR)+BW_RD

M = If this is a site hosting a Master then M=NP1+NP2, otherwise M equals zero.

N_P1 = Number of IP Site Connect Peers for Slot 1. If this a site hosting a Peer repeater, exclude self.

N_P2 = Number of IP Site Connect Peers for Slot 2. If this a site hosting a Peer repeater, exclude self.

BW_VC = 15 kbps = Bandwidth required to support Wide Area Voice or Data (1 slot)

BW_LM = 6 kbps = Bandwidth required to support Link Management

BW_IR = 3 kbps = Bandwidth required to support Master Messaging

BW_RD = 55 kbps = Bandwidth required to support RDAC commands

BW_ST = Total uplink and downlink bandwidth required at this site.

To help demonstrate the use of the above equation on a more complicated IP Site Connect system, take the following example system shown in the diagram below. This system has six total IP Site Connect devices at three sites; five repeaters and one RDAC. Three of the repeaters have both channels configured as wide area, one has a wide area channel and a local channel, and the last repeater has two local channels. The routers are not utilizing Secure VPN.

Let us start with Repeater 1. Repeater 1 is an Master and has two wide area channels. The first wide area channel has three peers and the second wide area channel has two peers. Note that since Repeater 4 and Repeater 5 have local area channels, these are not considered wide area channel peers. It is also important to remember that a peer does not include the device currently being calculated.

Each calculation provides enough bandwidth to support an RDAC command during times of high activity. This assumes that only one RDAC command occurs at a time and is not utilized often. If it is expected that multiple RDAC applications will be performing commands on repeaters often and simultaneously, one might wish to increase the bandwidth to support these types of activities.

3 peers on slot 1, 2 peers on slot 2, this site has a Master repeater and there is RDAC.

BW_ST = (3*15)+(2*15)+((3+2)*6)+(5*3)+55

BW_ST = 175kbps

Using the same calculation, the following results are obtained:

Required bandwidth (see above diagram)

Site Name	Bandwidth (kbps)
Repeater 1	175
Repeater 2	160
Repeater 3	160
Repeater 4	85
Repeater 5	130
RDAC	85

IP Site Connect devices behind a single router need to be added together to acquire the wide area network bandwidth requirements. A repeater or disabled repeater connected to the IP Site Connect system would require the same amount of traffic as a local only repeater (e.g. Repeater 4 above). One should keep in mind, that if the disabled repeater will eventually be enabled without disabling a different repeater, the bandwidth of the enabled repeater should be accounted for in the bandwidth plan.

Required Bandwidth Calculations While Utilizing a Secure Virtual Private Network

As was discussed in previous chapters, peer-to-peer communications over the network are optionally authenticated and are also encrypted end-to-end if enabled in the radios. If this is not considered sufficient for a particular customer, IP Site Connect supports the ability to work through a Secure Virtual Private Network (VPN). Secure VPN is not a function of the IP Site Connect device but rather of the router. It is important to note that Secure VPN does add the need for additional bandwidth and may introduce additional delay.

For a quick reference, the graphs below show the required bandwidth for the two previously discussed simple IP Site Connect system configurations, but in this case utilizing routers with Secure VPN enabled and repeater Authentication Disabled. When utilizing Secure VPN routers, repeater authentication is not necessary since the Secure VPN utilizes its own authentication. As can be seen, the bandwidth requirements per device increase substantially. This should be taken into account when planning for bandwidth.

The following parameters should be used in the previous equation to calculate the bandwidth requirements of each device in the system when secure VPN in the routers is enabled and repeater authentication is disabled.:

BW_VC = 23 kbps = Bandwidth required to support Wide Area Voice or Data with Secure VPN

BW_LM = 5 kbps = Bandwidth required to support Link Management without authentication

BW_IR = 4 kbps = Bandwidth required to support Master Messaging

BW_RD = 64 kbps = Bandwidth required to support RDAC commands

The above values were obtained using the Linksys EtherFast Cable/DSL VPN Router with four-port switch (Model: BEFVP41). Other routers using different algorithms may yield slightly different results.

Flow of Voice/Data/Control Messages

The flow of voice/data/control messages from a radio to its repeater for an IP Site Connect configuration is the same as that of single-site configuration of MOTOTRBO system. The major changes in the flow of messages (between single site operations and multiple site operations) are in the processing of a message in the repeaters and the additional delays introduced due to reasons such as serialization, propagation, arbitration, and the nonalignment of slots between repeaters.

On receipt of a start up of a voice/data/control call from a radio over a slot, a repeater sends it over the backend network to all the repeaters that are enabled, operating in digital mode, and the corresponding slot is configured for multiple site operation. This implies that at any time at most two calls are active in an IP Site Connect system if both slots are configured for multiple site operation.

In an IP Site Connect configuration, calls can start concurrently at more than one repeater and due to different messaging delay between repeaters, it is possible that different repeaters select different calls for repeating over-the-air. To overcome this problem, on receipt of a start up of a voice/data/control call either over-the-air (from a radio) or over the backend network (from other repeaters), a repeater starts an arbitration window for a duration of twice the Inter-Repeater Messaging Delay. At the end of the arbitration window, the repeater selects one of the calls received during this window using a procedure that ensures that all the repeaters select the same call. After selection, a repeater starts repeating the bursts of the selected call. A disadvantage of the arbitration procedure is that it increases the System Access Time.

The voice/data/control messages are sent burst by burst between repeaters. Like a single-site system, a repeater does no data link layer processing (for example, acknowledgment, decryption). If required, the voice and data messages are encrypted / decrypted by the source and destination radios. A repeater sends the voice or data packet to other repeaters as it receives over-the-air. Also in case of data message, the destination radio sends the Ack/Nack and if required the Selective ARQ takes place between the source and destination radios and not between a radio and its repeater. A call is a session of one or more transmissions from participating radios. To ensure continuity between transmissions, the single site configuration of MOTOTRBO has Hang Time, during which the channel is reserved for participant(s) of the ongoing call. The IP Site Connect configuration extends the concept of session to include Remote Monitor call, Individual and group data call, and CSBK Call (for example, Call Alert, Radio Check, Inhibit/Uninhibit). The Hang Time ensures that a call continues with minimum interruptions.

The flow of data messages from a radio to an application (for example, Location or Text Messages) in an IP Site Connect system is similar to a single-site configuration of MOTOTRBO. A data packet flows burst-by-burst to a Control Station connected to the Application Server. The Control Station assembles the bursts into a PDU. If the PDU is confirmed then the Control Station handles the data link layer acknowledgment. If the PDU is encrypted then the Control Station decrypts the PDU. The Control Station strips the data link layer headers and forwards the resulting datagram to the Application Server.

All the data applications of the single site configuration of MOTOTRBO are compatible with IP Site Connect configuration. An IP Site Connect configuration supports the revert channels, where a revert channel can be a channel of another IP Site Connect system. The GPS data on a GPS Revert Channel are sent unconfirmed in IP Site Connect mode. This increases the throughput of the GPS data as the data link layer acknowledgment over the back-end network is slower due to delays associated with the back-end network.

Security Considerations

The single site configuration of MOTOTRBO offers three types of privacy mechanisms over-the-air – Basic Privacy, Enhanced Privacy, and AES. IP Site Connect not only supports the three mechanisms, but also extends them over the back-end network. A repeater does not decrypt the encrypted packets. It simply passes the packets as received over-the-air to other repeaters. Since the two mechanisms are not compatible, all the radios and repeaters of an IP Site Connect system should support the same privacy mechanism. This should be ensured during configuration. Note that the privacy mechanisms protects only the voice or data payloads. They do not protect the voice or data headers, or control messages (CSBK) or system messages (between repeaters).

An IP Site Connect system optionally offers authentication of all the packets sent between IP Site Connect devices. Each packet has a 10 bytes long cryptographic signature. The signature is created using Keyed-Hash Message Authentication Code (HMAC), which is a National Institute of Standards and Technology (NIST) standard. The hashing is done using SHA-1 algorithm. The HMAC uses a 20 bytes long symmetric keys and generates a 20 bytes long signature. To reduce the bandwidth requirement over the back-end network, the 20 bytes long signature is truncated to 10 bytes before attaching to the packet. Packet authentication prevents an attacker from using an impersonator as an IP Site Connect device in order to get access to the IP Site Connect system. This feature, if selected by a customer, requires the customer to manually configure the same key to all the IP Site Connect devices. Note that the IP Site Connect system does not support rekeying remotely.

The HMAC authentication mechanism does not provide protection against the replay attacks. For a more secure authentication, an IP Site Connect configuration should use Secure VPN routers to connect with the back-end network. Secure VPN routers can optionally provide confidentiality of all the messages including system messages (between IP Site Connect devices), control messages (CSBK), and voice or data headers. A disadvantage of using Secure VPN Routers is that the IP Site Connect requires more inbound and outbound bandwidth from the ISP. The use of Secure VPN routers make the authentication mechanism of IP Site Connect redundant and it is recommended that it should be disabled. This saves some bandwidth over the back-end network.

General Considerations When Setting Up the Network Connection for an IP Site Connect System

Network setup and configuration varies significantly depending on the complexity of the equipment and IP network the system resides on. It is always wise to communicate with the Network Administrator during installation and during the design phase as they are likely be the individuals configuring the network equipment and own a great deal of knowledge in this area. Below is a short list of items to keep in mind when setting up or when troubleshooting the networks of IP Site Connect systems.

• When assigning Static IP addresses within a Network, it must not conflict with another static IP address. As with any IP conflict, this can cause a disruption to the IP Site Connect traffic. Also, ensure that the static IP address does not fall into the DHCP assignable range. This can cause an IP conflict if the address is dynamically assigned to another device on the network.
• If other network devices are present on the same IP network as the IP Site Connect devices, it is good practice to setup Quality of Service (QoS) rules in the Internet Router. This ensures that the IP Site Connect packets have priority over other traffic on the system. Not doing this could cause audio performance degradation or lost transmissions when other devices on the system are excessively utilizing the network. There are various methods routers use to provide QoS. It is commonly performed by configuring a range of UDP ports or IP Addresses a specific amount of upstream and downstream bandwidth. The default UDP port for IP Site Connect is 50000.
• Verify that the customer network equipment is not blocking the IP Addresses or UDP Ports (default 50000) utilized by the IP Site Connect system. This is commonly done by a firewall or other security device. Consult the customer’s Network Administrator or Internet Service Provider.
• Inquire with the Internet Service Provider if there are any caps on bandwidth usage per month. Some ISPs do not allow the customer to exceed a particular upload or download limit per month. Since IP Site Connect systems stream voice over the Internet, it may be possible to surpass this limit on extremely high usage systems. As a reference point, a five site system under nominal load could use around 20GB per month, where as a 15 site system under nominal load could use around 65GB per month. For most ISPs, this will not be an issue.
• When configuring routers with VPN links, it is wise to increase the IPSec Key Life Time (KLT) Timers to around 13 to 24 hours. It is recommended to set Phase 1 KLT to 24 hours, and Phase 2 KLT to 13 hours. Some low-end routers cause a disruption to ongoing voice and data when renegotiating keys after the Key Life Time Timer expires. This is especially noticeable when multiple VPNs are configured with identical Key Life Time Timers since the router will need to re-calculate numerous keys at the same time. It is best practice to offset the Key Life Time Timers of each VPN by 10 minutes.

See Also

References