Managing IP addresses for your private clouds

2013 ASEAN CAS Summit

Bangkok, Thailand

7 February 2013

George Kuo

Member Services Manager

2

Overview

• Introduction to APNIC and Regional Internet Registries

• Why your own IP addresses for your clouds?

• Questions to ask your cloud service providers

• IPv6 security

• How to get IP addresses ?

• Internet resource management policies

Introduction to APNIC & Regional Internet Registries

3

4

Regional Internet Registries

The Internet community established the RIRs to provide fair access and consistent resource distribution and registration throughout the world.

5

What is APNIC?

• The Regional Internet Registry (RIR) for the Asia Pacific– Delegates IP addresses and AS numbers– Maintains the APNIC Whois Database– Manages reverse DNS delegations

• Not-for-profit and membership based organization– 3,400+ Members– 100+ Members in Thailand– NOT a domain name registry

6

APNIC’s Mission• Assist the Asia Pacific Internet community in

effective Internet resources management and distribution

• Support regional Internet infrastructure building

• Seek public consideration of issues that benefit Members and the community

• Coordinate and facilitate Internet resource policy development

• Provide training and outreach on resource management and APNIC services

Why your own IP addresses for your clouds?

7

Why your own IP addresses for your clouds?

• Service provider networks– A key component in service provision– Addresses to be assigned to infrastructure and

customers

• Independent networks– Addresses to be used for their own networks– Allows easier management of multiple

connections to ISPs/IXPs– Removes the need to renumber when changing

upstream providers

Questions to ask your cloud service providers

9

10

Questions to ask your cloud service providers

• Private IP addressing has its limitations. Are you numbering cloud hosts in public or private addresses?– Private: How many customers share the NAT interface to the public

Internet? – Public: Does the provider have enough addresses to meet your

future needs?

• IP address portability– If you have access to a block of public addresses, does the provider

have the capability to use them in provisioning your cloud solution?

• What are the costs involved?– Are you being charged for public IP addresses?

11

Questions to ask your cloud service providers

• Does the provider rely on NAT and CGN for their security?– NAT and CGN are not all of your security – You need proper configuration and ACL reflecting your function and

needs, e.g. inbound SSH only for your back office network, outbound only to your specified clients

• How much shared infrastructure between cloud customers and your specific needs?– Shared access path potentially shared risks

• Does the cloud provider understand IPv6?– For future growth and and demand, start early, gain experience– Be aware of difference in IPv6 security

12

IPv6 security

• Mostly the same as IPv4– ACL are basically the same– ICMPv6 substantially different, do not block most ICMPv6, it’s

needed for pMTU discovery…etc– Be aware of different IP fragmentation behaviour

• New class of risks– Stateless auto config (SLAAC)– Switch ND exhaustion (DDOS attack)– Get proper IPv6 aware managed switches, they should offer

mitigation against both risks

How to get IP addresses

13

How to get IP addresses

• Service providers and independent network operators get their IP addresses from their Internet Registry– Maximum /22 (1,024 addresses) of IPv4– Initial /48 to /32 of IPv6– Must meet current policy criteria

• Casual users get their IP addresses from their service provider (ISP, hosting, data centre etc.)

How to get IP addresses

• Online request form– www.apnic.net/member

• Need support ?– Contact APNIC Member Services Helpdesk– Monday to Friday, 09:00 to 21:00 (UTC +10)– www.apnic.net/helpdesk

Policy criteria

16

Policies

• Service providers– IPv4 criteria

• Have used a /24 from their upstream provider or demonstrate an immediate need for a /24,

• Demonstrate a detailed plan for use of a /23 within a year

– IPv6 criteria• Have existing IPv4, or• Plan to provide IPv6 connectivity and make 200

customer assignments in 2 years

Policies

• Independent networks– IPv4 criteria

• Connected or plan to connect within 3 months to multiple ISPs/IXPs, or

• Running an IXP (Internet Exchange Point), or• Running an Internet critical infrastructure e.g.

– Root domain name system (DNS) server; – Global top level domain (gTLD) nameservers; – Country code TLD (ccTLDs) nameservers;– National/Regional Internet Registry

Policies

• Independent networks– IPv6 criteria

• automatically eligible for a minimum IPv6 portable assignment if previously justified an IPv4 portable assignment from APNIC

• Running an IXP (Internet Exchange Point), or• Running an Internet critical infrastructure e.g.

– Root domain name system (DNS) server; – Global top level domain (gTLD) nameservers; – Country code TLD (ccTLDs) nameservers;– National/regional Internet Registry

Questions?

20

Thanks!

George Kuo, Member Services Manager

<george@apnic.net>

21