Question for service providers regarding tenant use of public IPv4 on your infrastructure

Cliff Bowles Cliff.Bowles at
Mon Apr 28 20:18:35 UTC 2014

(accidentally sent this to nanog-request earlier, sorry if there is a double post)

We are an enterprise and we do not yet have a sophisticated service-provider model yet for billing, capacity-management, or infrastructure consumption. We have a few vBlocks that we consume internally for IT/business needs. Recently, the decision was made to start offering our infrastructure to partner businesses to deploy their apps on, which will then be made available to their customers.

The ingress/egress, the virtualization and even the orchestration part are essentially covered. We've tackled the security part as well. However, we have some tenants that want to egress to the internet locally rather than backhaul the traffic to their premise. Naturally, we could ask each tenant to provide their own internet for this, but the business wants to explore a dedicated, customer-only internet and chargeback/showback.

My question is: how are cloud providers handling the use of their IP space when they don't have full control over what their tenants are doing? More specifically, if you own a large block of IPs, how do you prevent business impact (or other tenant impact) if one tenant does something that causes an upstream ISP to blacklist/block? We don't want to put more controls in path between the tenant and the internet, we just want to know how to manage upstream relations.

I've heard that some ISPs don't block a specific IP when they see malicious behavior; they do a WHOIS and block the whole range. That would, of course, impact multiple tenants.

I'm guessing Amazon and other similar providers have some arrangements with peering ISPs and law-enforcement to ensure that there is consultation before action is taken?

Or do ISPs put some level of security between their tenants and the internet to prevent this? I've been told that the majority do not have any intelligent filtering beyond bogon-lists. I'd imagine that would cause huge operational overhead and frustrate the tenants.

If you've tackled this issue as part of your business, I'd appreciate any feedback. Thanks in advance.


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

More information about the NANOG mailing list