Professional Documents
Culture Documents
5 - SOW-Internet-WAN-2015 PDF
5 - SOW-Internet-WAN-2015 PDF
STATEMENT OF WORK
Page 1 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
1. Scope
This Statement of Work describes the technical requirements for provision of managed
Wide Area Network (WAN) and Internet services for the International Atomic Energy
Agency (IAEA) offices at:
• Vienna, Austria
• Seibersdorf, Austria
• Monaco, Monaco
• Tokyo, Japan
• Toronto, Canada
• Rokkasho, Japan
The IAEA is seeking a three (3) year contract beginning 1st November 2015. The initial
three (3) year contract should include the option for an extension by an additional two
(2) years for maximum contract duration of five (5) years.
The required network topology for Head Offices and Branch offices is:
Page 2 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
Page 3 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
3. Current environment
A description of the current WAN and Internet services environment is provided for
context.
The IAEA currently have multiple contracts to provide managed services for WAN and
Internet services. These contracts expire on 31 October 2015.
The current WAN and Internet services provide LAN-to-LAN communication based on:
• MPLS with IPSec encryption to connect IAEA branch offices Monaco, Tokyo,
Toronto, and Rokkasho to the IAEA headquarters in Vienna.
• Layer 2 Ethernet with Cisco MACSEC encryption to connect IAEA branch office
Seibersdorf to the IAEA headquarters in Vienna.
• Internet backup lines to connect IAEA branch offices to the IAEA headquarters in
Vienna with a site to site VPN between IAEA managed firewalls.
• Two internet lines from different ISP’s are used to connect the IAEA headquarters
in Vienna to the Internet.
Page 4 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
4. Requirements
4.1 Internet backup lines and Agency Internet access
The Contractor shall supply internet bandwidth and internet line
characteristics as described:
4.1.1 Head Office (MTIT): 2 x internet lines (Line ID: A and B) for the Vienna office,
the lines are to be provided by dual ISP’s. These internet lines are to be used
for Internet access for all IAEA staff and for termination of VPN tunnels
between head office and MTIT branch offices. Lines to be terminated in C
Building Level -1.
4.1.2 Head Office (SGIS): 1 x internet line (Line ID: C) for Vienna office. This
internet line is to be used for termination of VPN tunnels between head office
and SGIS branch offices. Lines to be terminated in A Building Level 10 Room
A1004.
4.1.3 Branch office Seibersdorf (Line: D), this is a special case as the Seibersdorf
site is the Agency’s largest branch office (over 300 staff) servicing both
Safeguards and non-Safeguards staff, so there will be a single backup
Internet line to Seibersdorf which will be shared by MTIT and SGIS.
4.1.4 Branch Offices: 1 x internet line per branch office (Line ID: E, F, G, and H).
These lines are to be used for termination of backup VPN tunnels to the head
office in Vienna and breakout of internet for local Guest wireless. It is possible
in future that these lines would also be used for local breakout to “cloud”
services and the Agency’s ERP program (AIPS) based in Geneva.
4.1.5 Line speeds are to be symmetric (i.e. equal upload and download speeds),
line speeds required at start of contract and projected in 5 years are:
4.1.6 All internet lines are to have sufficient fixed IP addresses which can be used
by Agency equipment to terminate site to site VPN tunnels and allow for at
least two VPN gateways on the Seibersdorf backup line (line ID: D) shared by
Page 5 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
MTIT and SGIS (net mask /29). The backup lines for the other branch offices
(Line ID: E,F,G,H) has to allow for at least one customer VPN gateway (net
mask /30).
4.1.7 To allow for the end-to-end encryption the customer (MTIT/SGIS) may deploy
the encryption devices on the line. To allow for proper IPSEc channel setup
the IP addresses assigned to the customers (MTIT/SGIS) must be public,
static and routable (no NAT’ing of the customer device internet facing IP
address).
4.2.1 Internet lines (Line ID: A and B) will be required to route the IAEA address
range 161.5.0.0/16 associated with AS (Autonomous System) number 12311
which currently have a peering with routers from A1 Telekom and Level 3
Communications. (http://bgp.he.net/AS12311)
4.2.2 The two internet lines (Line ID: A and B) will be required to provide
redundancy and load sharing of both incoming and outgoing traffic between
the two ISP access circuits via the use of Border Gateway Protocol (eBGP)
between the ISP routers. To achieve redundancy to the IAEA network the
Contractor’s routers will be required to peer with IAEA routers via Hot Standby
Routing Protocol (HSRP) or Global Load Balancing Protocol (GLBP) or similar
over the existing IAEA network.
4.3.2 This internet line (Line ID: Z) is used to back up the two internet lines in
Vienna (Line ID: A and B). In case of an incident in Vienna, the Agency’s
Page 6 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
internet address space must be moved from (Line ID: A, B) to the line in
Seibersdorf (Line ID: Z). This movement (fail-over) requires the following:
4.3.2.1 In the event of a disaster the Agency’s Internet class B address space (Line
ID: A, B) will be pointed to the Seibersdorf internet line (Line ID: Z) with
exactly the same IP addresses as defined in Vienna. Note: The disaster
recovery environment at Seibersdorf is configured with the same IP
addresses as those in Vienna, hence relies on the Agency’s Internet IP
addresses (from Vienna) being routable to Seibersdorf.
4.3.2.2 Upon the request from the IAEA the Contractor will have to manually activate
BGP fail-over. The Contractor shall pre-configure their devices in Seibersdorf
so that it is capable of accepting the Agency’s address space within 2 hours of
request for failover.
4.3.2.3 The provider must provide a complete turnkey installation for the proposed
Internet failover solution including documentation, customization, knowledge
transfer and training and acceptance testing. Also the provider will verify
performance and data integrity by utilizing testing scenarios agreed upon with
the Agency staff to prove operability and acceptance of the installation.
4.3.2.5 Fail-over and fall back testing: The Contractor shall work with the Agency to
create documentation and test plan for the IP address space fail-over as well
as for the fall back plan. Testing will be conducted on an annual basis. i.e.
once per year.
Page 7 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
any given sites (e.g. Tokyo shall need to communicate directly to Rokkasho,
Vienna, Seibersdorf and Toronto).
Page 8 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
SGIS)
(Toronto – Vienna SGIS) O to J 150
Table C: Maximum latency
4.7 Encryption
The Contractor shall confirm their solution supports use of encryption as
described:
4.7.1 For data confidentiality all communication across the WAN and Internet IAEA
applications require IP based secured transmission. This is achieved via
(Layer 3) VPN with IPSec or (Layer 2) Cisco MACSEC and is currently done
by the network hardware which is property of the IAEA (back-to-back to the
provider’s hardware).
4.8.1 For time sensitive communication across the WAN and Internet IAEA
applications require QoS. This is achieved via Cisco DSCP QoS settings on
network hardware which is property of the IAEA (back-to-back to the
provider’s hardware). It is required that the Contractor’s solution honours the
IAEA’s QOS settings throughout the Contractor’s network, thus ensuring End-
to-End QOS
4.9 SLA
The Contractor shall supply WAN and Internet lines with SLA as described:
Availability 99.90 %,
Packet loss < 0.05 %
Availability 99.5 %
Packet loss < 0.05 %
Page 9 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
4.11 Reporting
The Contractor shall provide reporting as described:
4.11.1 Monthly report on WAN and Internet statistics e.g. utilisation, latency, errors,
uptime, etc. This report is to be provided monthly by the 10th business day of
the month. This report may also be provided via self-service whereby the
IAEA can access a web based portal
4.11.2 Monthly report on WAN and Internet incidents i.e. an incident report (if any)
with a description of the incident, total downtime, whether SLA was violated or
not, reasons for the incident and corrective actions to prevent from re-
occurring.
4.13.1 The Contractor shall provide an on-site engineer to “install” and “commission”
the Contractor’s termination equipment at all sites. The engineer will be
required to perform all tasks such as cabling, rack mount, labelling and any
other activities required to commission the Contractor’s service. To assist the
Page 10 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
IAEA will provide escorted site access to the technical rooms and provide rack
space for installation of the Contractor’s equipment.
4.13.2 The existing MPLS WAN links make use of RFC1918 private IP addresses at
the provider edge. To allow for a smooth migration the existing addressing
schema should to be reflected in the new topology (to avoid need for
customer VPN/routing/monitoring reconfiguration).
4.13.3 All services shall be labelled clearly identifying the service numbers and
owner of each type of equipment supplied.
4.13.4 During the “migration” to a new / upgraded transmission service the
Contractor’s engineers will provide free-of-charge support to the IAEA to get
the service running.
4.13.5 All services supplied shall be “tested” and include documents containing a
network diagram, part descriptions, part numbers, and serial numbers, as well
as test results for the service proving the minimum performance requirements
for bandwidth and latency are met.
4.13.6 After “installation” and “migration” the service shall be tested by the Contractor
together with the IAEA to demonstrate that the performance and capacity
meet the minimum requirements specified herein as determined by the IAEA.
4.13.7 The results of the “testing” of the Service shall be documented by the
Contractor in an “acceptance” protocol that shall be signed by the IAEA.
4.13.8 The Contractor will be required to install and support their equipment and
services at sites:
• Vienna, Austria
• Seibersdorf, Austria
• Monaco, Monaco
• Tokyo, Japan
• Toronto, Canada
• Rokkasho, Japan
Page 11 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
4.15.1 The Contractor shall notify IAEA of an estimated service commissioning date
for new and upgraded services 4 weeks beforehand within a deviation of +/- 1
week. Delivery of ordered services shall not exceed 8 weeks, unless
otherwise agreed with the Contractor and IAEA
4.16.1 The Contractor shall notify IAEA of service maintenance time and date a
minimum of 2 weeks prior to the maintenance being conducted. This is
required to allow the IAEA to observe change management practices and
advise the IAEA business of any impacts. Note: the type of systems impacted
by any particular service maintenance work and the time needed to complete
maintenance determines whether the work can be carried out during normal
business hours, beyond normal business hours, or takes place on Saturday,
Sunday or public holidays. Also note that the current normal maintenance
windows are scheduled every second Thursday from 19:30-22:00 and
Saturdays from 08:00-20:00, however times outside these windows may also
be requested.
All communication between the IAEA and the account management team
shall be in English language.
4.18.1 The Contractor shall schedule an account status meetings at the IAEA Vienna
office (unless agreed otherwise i.e. via telephone conference) at a minimum
interval of 6 months (i.e. Last Tuesday of every sixth month).
Page 12 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
4.19.1 All goods supplied (e.g. termination equipment) shall comply with local safety
regulations for usage and fit for purpose,
4.19.2 All goods supplied shall comply with local power standards and cabling where
applicable
4.20.1.1 At the start of contract a “transition-in” plan and migration plan from existing
carrier to new carrier
4.20.1.4 Contacts:
o List of names and numbers of all key personal and 24 x 7 service desk
o Incident escalation matrix and instructions in case of incident
Page 13 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
4.21 Transition-out
The Contractor recognizes that the services under this contract are vital to the
IAEA and must be continued without interruption and that, upon contract
expiration or cessation of the Contractor’s services for any other reason, a
successor may continue them. The Contractor agrees to effect an orderly and
efficient transition to the successor(s).
The Contractor shall, upon the IAEA’s written notice, (a) furnish phase-in,
phase-out services for up to 90 days after this contract expires and (b) agree
on a plan with the successor(s) and the IAEA Project Manager to determine
the nature and extent of the phase-in, phase-out services required and the
personnel essential to the performance of these services. The Contractor
shall maintain essential personnel during the phase-in, phase-out period to
ensure that the services called for by this contract are maintained at the
required level of proficiency.
The Contractor shall be reimbursed for all reasonable costs incurred within
the agreed period in accordance with the existing contract rates.
Page 14 of 15
IAEA Specification
WAN and Internet Services
Dated 17 April 2015
Site addresses where WAN and Internet lines will need to be terminated by the Contractor:
City Country Office Type Street Address Computer Terminate
Room Line ID’s
Vienna MTIT Austria Head Office Wagramer Straße 5, 1220 C Building I,A,B
Level Minus 1
Vienna SGIS Austria Head Office Wagramer Straße 5, 1220 C Building J
Level Minus 1
Vienna SGIS Austria Head Office Wagramer Straße 5, 1220 A Building C
Level 10
Room A1004
Seibersdorf Austria Branch Office A-2444 Room LE04 K,Z,D
SGIS/MTIT
Monaco MTIT Monaco Branch Office 4, Quai Antoine 1er Room 363 E,L
B.P. 800, MC 98012 Monaco
Cedex
Tokyo SGIS Japan IAEA Seibunkan Building Level 10, F,M
Regional 5-9 Iidabashi 1 Chome Server room
Office Japan Chiyoda-Ku, Tokyo 102-0072
Japan
Toronto SGIS Canada IAEA Suite 1702/Box 20 Level 17 H,O
Regional 365 Bloor Street East
Office Canada Toronto, ONT M4W3L4 Canada
Page 15 of 15