Question for service providers regarding tenant use of public IPv4 on your infrastructure

Tue Apr 29 16:13:27 UTC 2014

On 4/28/2014 4:18 PM, Cliff Bowles wrote:
> (accidentally sent this to nanog-request earlier, sorry if there is a double post)
>
> We are an enterprise and we do not yet have a sophisticated service-provider model yet for billing, capacity-management, or infrastructure consumption. We have a few vBlocks that we consume internally for IT/business needs. Recently, the decision was made to start offering our infrastructure to partner businesses to deploy their apps on, which will then be made available to their customers.
>
> The ingress/egress, the virtualization and even the orchestration part are essentially covered. We've tackled the security part as well. However, we have some tenants that want to egress to the internet locally rather than backhaul the traffic to their premise. Naturally, we could ask each tenant to provide their own internet for this, but the business wants to explore a dedicated, customer-only internet and chargeback/showback.
>
> My question is: how are cloud providers handling the use of their IP space when they don't have full control over what their tenants are doing? More specifically, if you own a large block of IPs, how do you prevent business impact (or other tenant impact) if one tenant does something that causes an upstream ISP to blacklist/block? We don't want to put more controls in path between the tenant and the internet, we just want to know how to manage upstream relations.
If you're allocating individual customers their own subnets, make sure 
you report these allocations to ARIN (via SWIP).  This will make the 
whois results more accurate, so you'll hopefully just end up with the 
individual customer getting blacklisted, rather then your entire range.  
Make sure you actually respond to abuse complaints in a timely fashion.  
If you're actually responsive to abuse complaints, it's a lot less 
likely you'll end up with all of your subnets blacklisted.

> I'm guessing Amazon and other similar providers have some arrangements with peering ISPs and law-enforcement to ensure that there is consultation before action is taken?
I doubt it.  Most of Amazon's EC2 IP ranges are on various blacklists.  
There's really no feasible way for them to keep all their IPs off 
blacklists, so I suspect they've just given up trying.
> Or do ISPs put some level of security between their tenants and the internet to prevent this? I've been told that the majority do not have any intelligent filtering beyond bogon-lists. I'd imagine that would cause huge operational overhead and frustrate the tenants.
You should try to block whatever abuse you can, especially if you're 
going to be offering 'cloud' servers to the public.  Get some routine 
security scans going (start off with the basics, look for open 
resolvers, vulnerable NTP servers, open chargen servers, SNMP servers 
with default communities) and alert your customers whenever you detect 
something.

It should go without saying, but make sure your users cannot spoof IP 
addresses.