[171421] in North American Network Operators' Group
Question for service providers regarding tenant use of public IPv4
daemon@ATHENA.MIT.EDU (Cliff Bowles)
Tue Apr 29 00:05:25 2014
X-Original-To: nanog@nanog.org
From: Cliff Bowles <Cliff.Bowles@apollo.edu>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Mon, 28 Apr 2014 13:18:35 -0700
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
(accidentally sent this to nanog-request earlier, sorry if there is a doubl=
e post)
We are an enterprise and we do not yet have a sophisticated service-provide=
r model yet for billing, capacity-management, or infrastructure consumption=
. We have a few vBlocks that we consume internally for IT/business needs. R=
ecently, the decision was made to start offering our infrastructure to part=
ner businesses to deploy their apps on, which will then be made available t=
o their customers.
The ingress/egress, the virtualization and even the orchestration part are =
essentially covered. We've tackled the security part as well. However, we h=
ave some tenants that want to egress to the internet locally rather than ba=
ckhaul the traffic to their premise. Naturally, we could ask each tenant to=
provide their own internet for this, but the business wants to explore a d=
edicated, customer-only internet and chargeback/showback.
My question is: how are cloud providers handling the use of their IP space =
when they don't have full control over what their tenants are doing? More s=
pecifically, if you own a large block of IPs, how do you prevent business i=
mpact (or other tenant impact) if one tenant does something that causes an =
upstream ISP to blacklist/block? We don't want to put more controls in path=
between the tenant and the internet, we just want to know how to manage up=
stream relations.
I've heard that some ISPs don't block a specific IP when they see malicious=
behavior; they do a WHOIS and block the whole range. That would, of course=
, impact multiple tenants.
I'm guessing Amazon and other similar providers have some arrangements with=
peering ISPs and law-enforcement to ensure that there is consultation befo=
re action is taken?
Or do ISPs put some level of security between their tenants and the interne=
t to prevent this? I've been told that the majority do not have any intelli=
gent filtering beyond bogon-lists. I'd imagine that would cause huge operat=
ional overhead and frustrate the tenants.
If you've tackled this issue as part of your business, I'd appreciate any f=
eedback. Thanks in advance.
CWB
________________________________
This message is private and confidential. If you have received it in error,=
please notify the sender and remove it from your system.
