Question for service providers regarding tenant use of public IPv4 on your infrastructure
(accidentally sent this to nanog-request earlier, sorry if there is a double post) We are an enterprise and we do not yet have a sophisticated service-provider model yet for billing, capacity-management, or infrastructure consumption. We have a few vBlocks that we consume internally for IT/business needs. Recently, the decision was made to start offering our infrastructure to partner businesses to deploy their apps on, which will then be made available to their customers. The ingress/egress, the virtualization and even the orchestration part are essentially covered. We've tackled the security part as well. However, we have some tenants that want to egress to the internet locally rather than backhaul the traffic to their premise. Naturally, we could ask each tenant to provide their own internet for this, but the business wants to explore a dedicated, customer-only internet and chargeback/showback. My question is: how are cloud providers handling the use of their IP space when they don't have full control over what their tenants are doing? More specifically, if you own a large block of IPs, how do you prevent business impact (or other tenant impact) if one tenant does something that causes an upstream ISP to blacklist/block? We don't want to put more controls in path between the tenant and the internet, we just want to know how to manage upstream relations. I've heard that some ISPs don't block a specific IP when they see malicious behavior; they do a WHOIS and block the whole range. That would, of course, impact multiple tenants. I'm guessing Amazon and other similar providers have some arrangements with peering ISPs and law-enforcement to ensure that there is consultation before action is taken? Or do ISPs put some level of security between their tenants and the internet to prevent this? I've been told that the majority do not have any intelligent filtering beyond bogon-lists. I'd imagine that would cause huge operational overhead and frustrate the tenants. If you've tackled this issue as part of your business, I'd appreciate any feedback. Thanks in advance. CWB ________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Apr 28, 2014, at 3:18 PM, Cliff Bowles <Cliff.Bowles@apollo.edu> wrote:
Or do ISPs put some level of security between their tenants and the internet to prevent this? I've been told that the majority do not have any intelligent filtering beyond bogon-lists.
Flow telemetry export/collection/analysis for detection/classification/traceback (there are several open-source tools), S/RTBH or flowspec to squelch outbound badness. Plus all the usual BCPs: <https://app.box.com/s/4h2l6f4m8is6jnwk28cg> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
(accidentally sent this to nanog-request earlier, sorry if there is a double post)
We are an enterprise and we do not yet have a sophisticated service-provider model yet for billing, capacity-management, or infrastructure consumption. We have a few vBlocks that we consume internally for IT/business needs. Recently, the decision was made to start offering our infrastructure to partner businesses to deploy their apps on, which will then be made available to their customers.
The ingress/egress, the virtualization and even the orchestration part are essentially covered. We've tackled the security part as well. However, we have some tenants that want to egress to the internet locally rather than backhaul the traffic to their premise. Naturally, we could ask each tenant to provide their own internet for this, but the business wants to explore a dedicated, customer-only internet and chargeback/showback.
My question is: how are cloud providers handling the use of their IP space when they don't have full control over what their tenants are doing? More specifically, if you own a large block of IPs, how do you prevent business impact (or other tenant impact) if one tenant does something that causes an upstream ISP to blacklist/block? We don't want to put more controls in path between the tenant and the internet, we just want to know how to manage upstream relations. If you're allocating individual customers their own subnets, make sure you report these allocations to ARIN (via SWIP). This will make the whois results more accurate, so you'll hopefully just end up with the individual customer getting blacklisted, rather then your entire range. Make sure you actually respond to abuse complaints in a timely fashion. If you're actually responsive to abuse complaints, it's a lot less
On 4/28/2014 4:18 PM, Cliff Bowles wrote: likely you'll end up with all of your subnets blacklisted.
I'm guessing Amazon and other similar providers have some arrangements with peering ISPs and law-enforcement to ensure that there is consultation before action is taken? I doubt it. Most of Amazon's EC2 IP ranges are on various blacklists. There's really no feasible way for them to keep all their IPs off blacklists, so I suspect they've just given up trying. Or do ISPs put some level of security between their tenants and the internet to prevent this? I've been told that the majority do not have any intelligent filtering beyond bogon-lists. I'd imagine that would cause huge operational overhead and frustrate the tenants. You should try to block whatever abuse you can, especially if you're going to be offering 'cloud' servers to the public. Get some routine security scans going (start off with the basics, look for open resolvers, vulnerable NTP servers, open chargen servers, SNMP servers with default communities) and alert your customers whenever you detect something.
It should go without saying, but make sure your users cannot spoof IP addresses.
participants (3)
-
Brian Rak -
Cliff Bowles -
Dobbins, Roland