nanog mailing list archives

Re: Question for service providers regarding tenant use of public IPv4 on your infrastructure


From: Brian Rak <brak () gameservers com>
Date: Tue, 29 Apr 2014 12:13:27 -0400


On 4/28/2014 4:18 PM, Cliff Bowles wrote:
(accidentally sent this to nanog-request earlier, sorry if there is a double post)

We are an enterprise and we do not yet have a sophisticated service-provider model yet for billing, 
capacity-management, or infrastructure consumption. We have a few vBlocks that we consume internally for IT/business 
needs. Recently, the decision was made to start offering our infrastructure to partner businesses to deploy their apps 
on, which will then be made available to their customers.

The ingress/egress, the virtualization and even the orchestration part are essentially covered. We've tackled the 
security part as well. However, we have some tenants that want to egress to the internet locally rather than backhaul the 
traffic to their premise. Naturally, we could ask each tenant to provide their own internet for this, but the business wants 
to explore a dedicated, customer-only internet and chargeback/showback.

My question is: how are cloud providers handling the use of their IP space when they don't have full control over what their 
tenants are doing? More specifically, if you own a large block of IPs, how do you prevent business impact (or other tenant 
impact) if one tenant does something that causes an upstream ISP to blacklist/block? We don't want to put more controls in 
path between the tenant and the internet, we just want to know how to manage upstream relations.
If you're allocating individual customers their own subnets, make sure you report these allocations to ARIN (via SWIP). This will make the whois results more accurate, so you'll hopefully just end up with the individual customer getting blacklisted, rather then your entire range. Make sure you actually respond to abuse complaints in a timely fashion. If you're actually responsive to abuse complaints, it's a lot less likely you'll end up with all of your subnets blacklisted.

I'm guessing Amazon and other similar providers have some arrangements with peering ISPs and law-enforcement to ensure 
that there is consultation before action is taken?
I doubt it. Most of Amazon's EC2 IP ranges are on various blacklists. There's really no feasible way for them to keep all their IPs off blacklists, so I suspect they've just given up trying.
Or do ISPs put some level of security between their tenants and the internet to prevent this? I've been told that the 
majority do not have any intelligent filtering beyond bogon-lists. I'd imagine that would cause huge operational overhead 
and frustrate the tenants.
You should try to block whatever abuse you can, especially if you're going to be offering 'cloud' servers to the public. Get some routine security scans going (start off with the basics, look for open resolvers, vulnerable NTP servers, open chargen servers, SNMP servers with default communities) and alert your customers whenever you detect something.

It should go without saying, but make sure your users cannot spoof IP addresses.


Current thread: