On 4/28/2014 4:18 PM, Cliff Bowles wrote:
(accidentally sent this to nanog-request earlier, sorry if there is a double
post)
We are an enterprise and we do not yet have a sophisticated service-provider
model yet for billing, capacity-management, or infrastructure consumption. We
have a few vBlocks that we consume internally for IT/business needs. Recently,
the decision was made to start offering our infrastructure to partner
businesses to deploy their apps on, which will then be made available to their
customers.
The ingress/egress, the virtualization and even the orchestration part are
essentially covered. We've tackled the security part as well. However, we have
some tenants that want to egress to the internet locally rather than backhaul
the traffic to their premise. Naturally, we could ask each tenant to provide
their own internet for this, but the business wants to explore a dedicated,
customer-only internet and chargeback/showback.
My question is: how are cloud providers handling the use of their IP space when
they don't have full control over what their tenants are doing? More
specifically, if you own a large block of IPs, how do you prevent business
impact (or other tenant impact) if one tenant does something that causes an
upstream ISP to blacklist/block? We don't want to put more controls in path
between the tenant and the internet, we just want to know how to manage
upstream relations.
If you're allocating individual customers their own subnets, make sure
you report these allocations to ARIN (via SWIP). This will make the
whois results more accurate, so you'll hopefully just end up with the
individual customer getting blacklisted, rather then your entire range.
Make sure you actually respond to abuse complaints in a timely fashion.
If you're actually responsive to abuse complaints, it's a lot less
likely you'll end up with all of your subnets blacklisted.
I'm guessing Amazon and other similar providers have some arrangements with
peering ISPs and law-enforcement to ensure that there is consultation before
action is taken?
I doubt it. Most of Amazon's EC2 IP ranges are on various blacklists.
There's really no feasible way for them to keep all their IPs off
blacklists, so I suspect they've just given up trying.
Or do ISPs put some level of security between their tenants and the internet to
prevent this? I've been told that the majority do not have any intelligent
filtering beyond bogon-lists. I'd imagine that would cause huge operational
overhead and frustrate the tenants.
You should try to block whatever abuse you can, especially if you're
going to be offering 'cloud' servers to the public. Get some routine
security scans going (start off with the basics, look for open
resolvers, vulnerable NTP servers, open chargen servers, SNMP servers
with default communities) and alert your customers whenever you detect
something.
It should go without saying, but make sure your users cannot spoof IP
addresses.
