Managing IP addresses
for your private clouds
2013 ASEAN CAS Summit
Bangkok, Thailand
7 February 2013
George Kuo
Member Services Manager
Overview
• Introduction to APNIC and Regional Internet Registries
• Why your own IP addresses for your clouds?
• Questions to ask your cloud service providers
• IPv6 security
• How to get IP addresses ?
• Internet resource management policies
2
Introduction to APNIC &
Regional Internet Registries
3
Regional Internet Registries
The Internet community established the RIRs to provide fair access and
consistent resource distribution and registration throughout the world.
4
What is APNIC?
• The Regional Internet Registry (RIR) for the Asia
Pacific
– Delegates IP addresses and AS numbers
– Maintains the APNIC Whois Database
– Manages reverse DNS delegations
• Not-for-profit and membership based organization
– 3,400+ Members
– 100+ Members in Thailand
– NOT a domain name registry
5
APNIC’s Mission
• Assist the Asia Pacific Internet community in
effective Internet resources management and
distribution
• Support regional Internet infrastructure building
• Seek public consideration of issues that benefit
Members and the community
• Coordinate and facilitate Internet resource policy
development
• Provide training and outreach on resource
management and APNIC services
6
Why your own IP addresses
for your clouds?
7
Why your own IP addresses for your
clouds?
• Service provider networks
– A key component in service provision
– Addresses to be assigned to infrastructure and
customers
• Independent networks
– Addresses to be used for their own networks
– Allows easier management of multiple
connections to ISPs/IXPs
– Removes the need to renumber when changing
upstream providers
Questions to ask your
cloud service providers
9
Questions to ask your cloud service
providers
• Private IP addressing has its limitations. Are you
numbering cloud hosts in public or private addresses?
– Private: How many customers share the NAT interface to the public
Internet?
– Public: Does the provider have enough addresses to meet your
future needs?
• IP address portability
– If you have access to a block of public addresses, does the provider
have the capability to use them in provisioning your cloud solution?
• What are the costs involved?
– Are you being charged for public IP addresses?
10
Questions to ask your cloud service
providers
• Does the provider rely on NAT and CGN for their security?
– NAT and CGN are not all of your security
– You need proper configuration and ACL reflecting your function and
needs, e.g. inbound SSH only for your back office network,
outbound only to your specified clients
• How much shared infrastructure between cloud customers
and your specific needs?
– Shared access path potentially shared risks
• Does the cloud provider understand IPv6?
– For future growth and and demand, start early, gain experience
– Be aware of difference in IPv6 security
11
IPv6 security
• Mostly the same as IPv4
– ACL are basically the same
– ICMPv6 substantially different, do not block most ICMPv6, it’s
needed for pMTU discovery…etc
– Be aware of different IP fragmentation behaviour
• New class of risks
– Stateless auto config (SLAAC)
– Switch ND exhaustion (DDOS attack)
– Get proper IPv6 aware managed switches, they should offer
mitigation against both risks
12
How to get IP addresses
13
How to get IP addresses
• Service providers and independent network
operators get their IP addresses from their Internet
Registry
– Maximum /22 (1,024 addresses) of IPv4
– Initial /48 to /32 of IPv6
– Must meet current policy criteria
• Casual users get their IP addresses from their
service provider (ISP, hosting, data centre etc.)
How to get IP addresses
• Online request form
– www.apnic.net/member
• Need support ?
– Contact APNIC Member Services Helpdesk
– Monday to Friday, 09:00 to 21:00 (UTC +10)
– www.apnic.net/helpdesk
Policy criteria
16
Policies
• Service providers
– IPv4 criteria
• Have used a /24 from their upstream provider or
demonstrate an immediate need for a /24,
• Demonstrate a detailed plan for use of a /23 within a
year
– IPv6 criteria
• Have existing IPv4, or
• Plan to provide IPv6 connectivity and make 200
customer assignments in 2 years
Policies
• Independent networks
– IPv4 criteria
• Connected or plan to connect within 3 months to
multiple ISPs/IXPs, or
• Running an IXP (Internet Exchange Point), or
• Running an Internet critical infrastructure e.g.
–
–
–
–
Root domain name system (DNS) server;
Global top level domain (gTLD) nameservers;
Country code TLD (ccTLDs) nameservers;
National/Regional Internet Registry
Policies
• Independent networks
– IPv6 criteria
• automatically eligible for a minimum IPv6 portable
assignment if previously justified an IPv4 portable
assignment from APNIC
• Running an IXP (Internet Exchange Point), or
• Running an Internet critical infrastructure e.g.
–
–
–
–
Root domain name system (DNS) server;
Global top level domain (gTLD) nameservers;
Country code TLD (ccTLDs) nameservers;
National/regional Internet Registry
Questions?
20
Thanks!
George Kuo, Member Services Manager
<george@apnic.net>
21