IT services: consulting, software development, Internet and support | Tenderlake

IT services: consulting, software development, Internet and support

Contract Value:
EUR 2M - 2M
Notice Type:
Contract Notice
Published Date:
16 October 2023
Closing Date:
13 November 2023
Location(s):
DE7 HESSEN (DE Germany/DEUTSCHLAND)
Description:
Procurement of an Internet uplink including provision of a DDoS mitigation solution

Procurement of an Internet uplink including provision of a DDoS mitigation solution

The aim of the present procurement measure is to procure an Internet uplink with a physical bandwidth of 20 Gbit/s under an estimated average load of at least 2,500 Mbit/s in order to maintain the redundant connection to the Internet for the state of Hesse.

In addition, a service of the provider for mechanisms of attack detection and defense, in particular for the defense against "distributed denial-of-service" attacks (protection of both the IPv4 and IPv6 data streams against distributed denial-of-service attacks as well as DDoS protection at the application level; hereinafter: "DDoS") is to be used. The use of this service is permanent and depends on the costs of the data stream to be protected as well as the number of network segments and domains/IP addresses to be protected. With regard to the IP subnets to be protected for L3/L4 protection, it is expected that IPv4 will require at least one /18 network and IPv6 will require at least one /32 network (two /32 networks in the future). For L7 protection, ten subdomains/IP addresses or applications are expected.

Furthermore, the provider should provide processes for connecting second-level domains in different top-level domains. It can be assumed that there will be around 400 domains to be permanently connected. In addition, administrative tasks for the performance of legal positions at RIPE (Réseaux IP Européens), such as the management of the client's AS number and the legacy management of the IPv4 network, have to be undertaken.

In addition, the possibility of providing general hosting services, such as the provision of streaming services from the state of Hesse or the use of services for monitoring the accessibility of offers in the HZD infrastructures, is expected. The use of certain hosting services can be limited or indefinite. The call-off of this service is demand-dependent and cannot be predicted in terms of timing and scope. Furthermore, the provider is expected to provide consulting and support services, e.g. with regard to complex issues in connection with the BGP protocol or the provision of IPv6 or the DDoS mitigation solution, which are directly related to the services described above.

The aim of the tender is to conclude a framework agreement for the provision of an Internet uplink, in which the contractor provides an Internet connection for the state of Hesse at a fixed monthly price with a defined consumption volume, as well as for the use of a DDoS mitigation solution from the provider.

Internet-Uplink

Internet uplink of 2x 10 Gbps physical bandwidth.

The physical bandwidth of 20 Gbit/s must be fully available to the customer in order to be able to transport load peaks (e.g. in the case of failover) without any loss of quality. An average utilization during peak working hours of approx. 2,500-4,000 Mbit/s with an upward trend can be assumed.

The connection between the contractor's line termination and the HZD's connection router is made via fiber optic cable (2x 10 Gbit/s single mode).

If the contractor has to bring its own connection technology into the HZD data center for the provision of the Internet uplink, the following general conditions apply:

o19"-capable devices for installation in appropriate racks (without intermediate shelves), if necessary, suitable installation rails must be supplied

oAll active devices must have redundant power supplies

oAll devices are operated in a cold aisle housing

oProvision of 2x10 Gbps ports

oFiber optic single-mode interfaces for attaching the patch cables to the HZD connection router

oThe house handover point is determined by the HZD

The rack space is allocated by the HZD, access to the rack is not provided exclusively for the provider

The Contractor shall provide a transfer network (IPv4/IPv6) for the connection of the HZD's connection routers.

•If necessary, it must be possible to relocate the Internet uplink from the Internet transition in the Wiesbaden data center to the Internet transition in the Mainz data center with as little interruption as possible.

•The routing must be free of overlap with that of provider 2, ideally up to a central exchange node, such as .dem DeCIX in Frankfurt. The current transfer point of the line of Provider 2 is in Mainz.

•If the contractor uses a subcontractor to provide the connecting line (last mile), this subcontractor must be appointed. The requirement of freedom from overlapping in the routing with that of Provider 2 also applies to the subcontractor.

•The Contractor warrants that it will provide the bandwidth offered and promised for the permanent use of Internet services. Due to the client's usage profile, the full bandwidth offered and promised must be available at least on weekdays (Monday - Saturday) between 6:00 a.m. and 8:00 p.m.

It is expected that the contractor maintains a direct connection to one of the central exchange nodes such as DeCIX, KleyReX or similar.

•Both IPv4 and IPv6 traffic must be transported. The Contractor warrants that, in addition to IPv4 traffic, it can also transport IPv6 traffic (dual-stack) in the same quality and functionality.

•The contractor must promote the existing AS 29515 to the Internet (for both IPv4 and IPv6) and perform administrative tasks to manage the AS numbers.

•The contractor must perform tasks related to the performance of legal positions at RIPE.

•The contractor must connect second-level domains to different top-level domains.

•It is expected that the contractor will offer to provide a secondary DNS service for the second-level domains connected by HZD.

•With regard to the connection of second-level domains in different top-level domains, it can be assumed that there are around 400 domains to be permanently connected.

The contractor must perform administrative tasks for the management of the legacy IPv4 addresses.

•Internet uplink is to be provided 24/7.

•Availability of > = 99% per year is expected.

•The migration from the current to the new provider must be carried out with downtime <= 4 hours under the leadership of the contractor.

•The Contractor must participate in tests to verify the correct functionality of the Internet uplink, including failover tests, without any special remuneration.

If necessary, the provision of general hosting services, such as the hosting of streaming offers from the state of Hesse or the use of services for monitoring the accessibility of offers in the HZD infrastructures, is necessary. The use of certain hosting services can be limited or indefinite. The call-off of this service is demand-dependent and cannot be predicted in terms of timing and scope.

•The service is to be provided around the clock (7/24) and for the entire duration of the contract.

Detailed documentation of the topology between the HZD's handover points and the provider's point-of-presence (POP) must be provided at the physical and logical level. The configured settings regarding the convergence time for switching or using redundancies in the transport network between the provider and the transfer point to the HZD should also be listed.

If necessary, HZD can call on consulting and operational support services from the contractor. These are:

Consulting and support services, e.g. with regard to complex issues in connection with the BGP protocol or migration scenarios to IPv6, which are directly related to the Internet uplink services described above.

DDoS-Mitigation

The DDoS mitigation solution must provide layer 3, 4, and 7 intrusion detection to ensure overall protection against DDoS attacks at the network, protocol, and application layers.

Malicious traffic must be fended off before it arrives in the client's network area by checking incoming requests and filtering out the malicious traffic, but valid requests continue to reach the HZD infrastructure.

•Anomaly detection must not be based on the client's connection port or web offering, but must already have an effect on the contractor's infrastructure or upstream ports, so that broadband attacks do not penetrate the client's infrastructure.

•If the contractor uses a subcontractor to provide the DDoS mitigation solution, the subcontractor shall be appointed. The contractor - as well as a subcontractor, if applicable - is subject to the German data protection regulations.

•After an attack that has been filtered via such a measure, the filtering mechanism or redirection must remain active for at least 24 hours in order to be able to defend against subsequent attacks.

If necessary, HZD can call on consulting and operational support services from the contractor. These are:

Consulting and support services, e.g. with regard to complex issues in connection with DDoS mitigation

Download full details as .pdf
The Buyer:
Land Hessen, vertreten durch die Hessische Zentrale für Datenverarbeitung
CPV Code(s):
72000000 - IT services: consulting, software development, Internet and support