Managing IP addresses for your private clouds
2013 ASEAN CAS Summit
Bangkok, Thailand
7 February 2013
George Kuo
Member Services Manager
2
Overview
• Introduction to APNIC and Regional Internet Registries
• Why your own IP addresses for your clouds?
• Questions to ask your cloud service providers
• IPv6 security
• How to get IP addresses ?
• Internet resource management policies
4
Regional Internet Registries
The Internet community established the RIRs to provide fair access and consistent resource distribution and registration throughout the world.
5
What is APNIC?
• The Regional Internet Registry (RIR) for the Asia Pacific– Delegates IP addresses and AS numbers– Maintains the APNIC Whois Database– Manages reverse DNS delegations
• Not-for-profit and membership based organization– 3,400+ Members– 100+ Members in Thailand– NOT a domain name registry
6
APNIC’s Mission• Assist the Asia Pacific Internet community in
effective Internet resources management and distribution
• Support regional Internet infrastructure building
• Seek public consideration of issues that benefit Members and the community
• Coordinate and facilitate Internet resource policy development
• Provide training and outreach on resource management and APNIC services
Why your own IP addresses for your clouds?
• Service provider networks– A key component in service provision– Addresses to be assigned to infrastructure and
customers
• Independent networks– Addresses to be used for their own networks– Allows easier management of multiple
connections to ISPs/IXPs– Removes the need to renumber when changing
upstream providers
10
Questions to ask your cloud service providers
• Private IP addressing has its limitations. Are you numbering cloud hosts in public or private addresses?– Private: How many customers share the NAT interface to the public
Internet? – Public: Does the provider have enough addresses to meet your
future needs?
• IP address portability– If you have access to a block of public addresses, does the provider
have the capability to use them in provisioning your cloud solution?
• What are the costs involved?– Are you being charged for public IP addresses?
11
Questions to ask your cloud service providers
• Does the provider rely on NAT and CGN for their security?– NAT and CGN are not all of your security – You need proper configuration and ACL reflecting your function and
needs, e.g. inbound SSH only for your back office network, outbound only to your specified clients
• How much shared infrastructure between cloud customers and your specific needs?– Shared access path potentially shared risks
• Does the cloud provider understand IPv6?– For future growth and and demand, start early, gain experience– Be aware of difference in IPv6 security
12
IPv6 security
• Mostly the same as IPv4– ACL are basically the same– ICMPv6 substantially different, do not block most ICMPv6, it’s
needed for pMTU discovery…etc– Be aware of different IP fragmentation behaviour
• New class of risks– Stateless auto config (SLAAC)– Switch ND exhaustion (DDOS attack)– Get proper IPv6 aware managed switches, they should offer
mitigation against both risks
How to get IP addresses
• Service providers and independent network operators get their IP addresses from their Internet Registry– Maximum /22 (1,024 addresses) of IPv4– Initial /48 to /32 of IPv6– Must meet current policy criteria
• Casual users get their IP addresses from their service provider (ISP, hosting, data centre etc.)
How to get IP addresses
• Online request form– www.apnic.net/member
• Need support ?– Contact APNIC Member Services Helpdesk– Monday to Friday, 09:00 to 21:00 (UTC +10)– www.apnic.net/helpdesk
Policies
• Service providers– IPv4 criteria
• Have used a /24 from their upstream provider or demonstrate an immediate need for a /24,
• Demonstrate a detailed plan for use of a /23 within a year
– IPv6 criteria• Have existing IPv4, or• Plan to provide IPv6 connectivity and make 200
customer assignments in 2 years
Policies
• Independent networks– IPv4 criteria
• Connected or plan to connect within 3 months to multiple ISPs/IXPs, or
• Running an IXP (Internet Exchange Point), or• Running an Internet critical infrastructure e.g.
– Root domain name system (DNS) server; – Global top level domain (gTLD) nameservers; – Country code TLD (ccTLDs) nameservers;– National/Regional Internet Registry
Policies
• Independent networks– IPv6 criteria
• automatically eligible for a minimum IPv6 portable assignment if previously justified an IPv4 portable assignment from APNIC
• Running an IXP (Internet Exchange Point), or• Running an Internet critical infrastructure e.g.
– Root domain name system (DNS) server; – Global top level domain (gTLD) nameservers; – Country code TLD (ccTLDs) nameservers;– National/regional Internet Registry