Providing highly dependable emergency services

through an utmost resilient ESInet

Application note

1
Contents

The advent of NG 9-1-1 4

ESInet architecture overview 5

Building an ESInet with utmost resiliency 7

Conclusion 9

2
[abstract]
xxxx

3
The advent of NG9-1-1
The first emergency 9-1-1 (abbreviated as 911 hereafter) service went live in 1968 in Haleyville,
Alabama, heralding a dependable way for citizens to dial for emergency rescue services. The society
has since relied on this service to ensure public safety every day. With the adoption of automated
number identification (ANI) and automatic location information (ALI) technologies, as well as the
introduction of wireless communications service and VoIP, the original basic 911 has subsequently
undergone different phases of evolution to enhanced 911 (E911), wireless E911 and VoIP E911.

The 21st century saw the rise of the Internet and new communications technologies including text,
multimedia messaging, voice over IP and social media that are fully embraced by the public. On the
other hand, innovative digital technologies like UAV, wearables and CCTV have become so prevalent
that they can be harnessed to widen situational awareness. It became imperative that
telecommunicators working in a PSAP, also called emergency communications centre, have the
capabilities to seamlessly accept new digital information from any networked device and transfer
to first responders and another PSAP if necessary.

Accordingly, PSAPs need to upgrade to support next generation call services (NGCS) while
maintaining interoperability with legacy systems. As these new digital systems for call processing
and call dispatch are IP-based, the network that connects PSAPs, NGCS host sites and other
emergency entities (known as Emergency Services IP network, or ESInet), is naturally an IP network.
However, IP technology was designed to offer non-critical, best-effort services that has no
reliability requirements. Therefore, an IP network is not suited to be an ESInet which needs to
reliably transport emergency services traffic, particularly during major incidents or severe weather
events when even the network itself may be impacted. This paper will discuss how to harness the
resiliency and robustness of MPLS technology to build an IP/MPLS-based ESInet with the utmost
reliability, one that can still deliver NGCS even when multiple network faults occur.

ESInet architecture overview

ESInet is a foundational element of the NENA i3 architecture. In essence, it is a private IP transport
network shared by all public safety agencies responding to an emergency. It connects
telecommunicators working in PSAPs and NGCS systems in PSAPs or host sites with the public
through communications service providers – wireline, wireless, VoIP and ISPs. Figure 1 describes the
scenario where NGCS systems are centrally installed in host sites, serving all PSAPs in the region.

Fig. 1

4
With ESInet, unlike the legacy 911 systems, PSAPs in different domains1 are no longer segregated.
With the dynamic IP routing capability, ESInets can be interconnected together to establish PSAP-
to-PSAP connectivity. Firewall and routing policies can be deployed at the border to ensure network
security. Together with the use of a common signalling protocol, Session Initiation Protocol (SIP),
PSAPs in different domains can seamlessly communicate with each other without hindrance when
necessary. By interconnecting ESInet, telecommunicators can transfer misrouted 911 calls or
access some specific resources to provide a more effective response if needed.

Building an ESInet with the utmost resiliency

Faults bound to happen at any network. However, when ESInet experiences network faults and
cannot recover, PSAPs becomes unreachable and emergency services will stop, potentially resulted
in loss of life and property. Therefore, strong ESInet resiliency is of utmost importance to
withstand not only impact by regular network faults in “sunny” days but also multiple faults
brought by disaster situations such as severe weather events. The following three capabilities are
key:

- Early network fault detection

- Rapid failover switching (hitless or at the speed of SONET technology)

- Multi-fault resiliency

1
In the traditional E911 architecture, PSAPs in different domains are connected to different selective routers
(a traditional telephone switch or a softswitch) and are not able to communicate with each other.

5
Today, IP networks built to carry mission-critical applications (public safety LMR backhaul, high
voltage power grid protection and rail signaling) are very often deployed with MPLS. The rest of this
paper will discuss how to attain utmost resiliency by harness the following IP/MPLS-based
protection schemes:

1. PSAP access IP/MPLS router redundancy protection

2. ESInet communication path redundancy protection

3. Host site geo-redundancy protection

4. Environmental protection

1. PSAP access router redundancy protection

IP/MPLS access router (abbreviated as access router hereafter) is the gateway for all
communications by the applications client and telecommunicators. Therefore, full redundancy
protection is paramount (Fig. 2).

Fig. 2

There are two scopes of access router protection:

A. Common equipment protection

The access router needs hot redundancy protection for common equipment including
control card, switching fabric, power and fan. When the router switches to the backup
component, emergency services communications should not be interrupted.

While new generation of routers can accomplish hitless protection switching for fabric,
power and fan, IP routing and MPLS signaling protocols (generally known as control
protocols) are reset. This brings down IP/MPLS VPN services, disrupting emergency services

6
 The PSAP is no longer reachable until the network fully re-converges2 which could take as
long as several minutes.

An attempt to alleviate the impact was made with graceful restart (GR) protocol extension
to control protocols. When there is a control card switchover, the access router’s
neighbours do not report to other neighbours but wait a certain amount time (called the
grace period) for it to come back. However, if the access router completely fails instead of a
simple switchover, the grace period only further slows down the network re-convergence.
Furthermore, if there is a network change or failure (e.g. a link is down) somewhere else in
the ESInet, the graceful restart process on that access router will terminate immediately
and start the re-convergence process, further lengthening the re-convergence time,
impacting emergency services. Therefore, graceful restart technology cannot attain multi-
fault resiliency.

The advent of non-stop routing and signaling technology on router control card ushers in
the concept of hitless switchover and truly eliminates any impact on emergency service
even during multi-fault scenario. Non-stop routing and signaling always keeps the active
and standby control card synchronous in protocol state. When a switchover occurs, the
standby card can immediately take over the control sessions without the neighbours even
noticing. Therefore, there is no impact on emergency communications. A network change or
fault somewhere else will also not affect the communications, attaining the goal of multi-
fault resiliency.

B. Nodal redundancy protection

Despite the protection discussed in point A and B above, there is still a scenario that the
router could fail completely due to some major site incident. To eliminate this single point
of failure, access router can be deployed in pair, running virtual router redundancy protocol
(VRRP), to attain nodal redundancy protection3. When the standby router detects failure of
the active router, it will take over communications with the applications clients and
telecommunicators without disruption. Running lightweight bi-directional fault detection
(BFD) protocol can enable detection in the order of tens of milliseconds.

When the switchover occurs in the PSAP, other access routers, e.g. those in the host site,
needs to wait until routing re-convergence before they will send traffic to the backup access
router in the PSAP. This still brings down emergency communications. With the advent of
MPLS fast-reroute technology merged with BGP4, other access routers no longer need to
wait for re-convergence. Combining the use of BFD and BGP-4 fast re-route, once the
hosted site router detects the PSAP router switchover, they will immediately switch traffic

2
Re-convergence is when all routers in the network are notified of the latest changes.
3
VRRP can actually support more than one standby routers if required.

7
 to the pre-learned backup access router without waiting for routing re-convergence.
Morever, the path from the host site to the PSAP backup access routers can be traffic
engineered to go along diverse transmission facilities from the path going to the active
access router to boost resiliency.

2. ESInet communications path redundancy protection

As explained in the beginning of this paper, ESInet connects PSAPs, NGCS host sites and other
emergency entities. It provides any-to-any communication paths with MPLS tunnels (technically
known as label switched path, or LSP). To provide highly reliable transport of emergency services
traffic, it is important that LSPs have end-to-end redundancy protection along the path (Fig. 3):

Fig. 3

A. Access diversity

To ensure PSAP reachability, it is critical to equip the access router with dual-home network
access using different transmission facilities along diverse paths in the self-built network or
even adopt a hybrid approach using a third-party carrier for the backup circuit (Fig. 4).

Fig. 4

8
B. Fast re-route tunnel protection

Fast re-route (FRR) is an ultra-high-availability enabler for IP/MPLS, protecting traffic traveling
inside the LSP from being discarded should any failure (nodal or link) occur along the path.
Operating at the speed as SONET 1+1 protection switching, it restores the traffic locally right at
the point of failure, by switching the traffic onto a preset fast re-route tunnel (also known as
bypass tunnel). FRR is highly scalable and easy to deploy as bypass tunnels are setup
automatically by IP/MPLS routers without operator intervention.

C. Primary/secondary LSP pair

Each LSP tunnel can be protected by a pre-established secondary LSP tunnel. It is a

complementary protection mechanism to FRR. While FRR restores traffic flow at SONET speed
to ensure no disruption to emergency services as a temporary measure, secondary LSP with a
diverse route serves as a protecting LSP with a traffic engineered path for network optimization
and quality of service. When the access router learns that the primary LSP has invoked FRR, it
will switch traffic to the secondary LSP in a hitless manner, bringing no disruption to emergency
services.

D. Dynamic backup LSP

As severe weather events becomes more frequent and intense, multi-fault resiliency has
become pivotal. LSP needs utmost resiliency to endure impacts from such events in order to
continue deliver emergency services at a time they are needed most. Capitalizing on the power
of IP routing and intelligent path calculation, when links on the primary and secondary LSPs fails,
IP/MPLS can still re-route affected LSPs round failures if physical reachability exists. As
illustrated in Fig. 5, a severe storm affects multiple links (the grey circle) bringing down both
primary and secondary LSP. Since there is rich path diversity in the core network, the access
router can establish a dynamically re-routed LSP around the failures so that the PSAP can
continue to provide emergency services.

Fig. 5 A multi-fault resilient ESInet

9
 3. Host site geo-redundancy protection

Host site is the nexus of NG911 where all NGCS applications reside. It is crucial that there are
multiple host sites in a geo-diverse arrangement. Each host site would have its own NGCS
applications and other associated equipment. With IP/MPLS VPNs, ESInet can seamlessly connect all
PSAPs to the multiple host sites in order that emergency services can continue despite a host site
failure.

4. Protection from adverse operating conditions

It is important that the IP/MPLS router can withstand adverse operating environment and not be
damaged. While PSAPs operate in a climate-controlled environment, during extreme weather
events, there can be overvoltages and overcurrents in the PSAP power systems and even power
outages, affecting the climate control system and bringing down voltage level in the backup power
distribution system. Consequently, it is important that the IP/MPLS router can continue to operate
at extreme hot or cold temperature, as well as withstand the impacts of voltage surge or low
voltage condition without damaging its electronics. Even if the affected PSAP needs to cease
operation for PSAP staff’s safety, the router can still function to monitor the PSAP conditions so
that the 911 authorities can quickly restore emergency services once the weather events are over.

Conclusion
911 is a lifeline to citizens in need of emergency assistance. With the rise of security threat level
and more frequent extreme weather event occurrence, dependable 911 services have become
more critical than ever. Migration to NG911 improves emergency response and heighten citizen
safety, which is one of the key components of smart city vision. Dependable NG911 mandates
ESInets with utmost resiliency. If ESInets stop carrying data, emergency services stop assisting
citizens. Harnessing the full redundancy protection capabilities of IP/MPLS, ESInet can attain the

10
necessary network resiliency to carry emergency communications, even during extreme weather
events when emergency services are needed most.

To learn more about Nokia solutions for public safety, visit our Public Safety web page.

Acronyms
DA distribution automation

DMS distribution management system

FAN field area network

FDIR fault, detection and isolation

FLISR fault location, isolation, and service restoration

IED intelligent electronic device

IP Internet Protocol

LTE long term evolution

MPLS multiprotocol label switching

RTU remote terminal unit

SCADA Supervisory control and data acquisition

SDH Synchronous Digital Hierarchy

SONET Synchronous Optical Network

TDM Time Division Multiplexing

VVO volt/VAR optimization

11