Allow acquiring child prefixes from other networks than private super networks

[majst01]

We simplified managing firewall rules for FITS Classic networking for our tenants by splitting the MPLS network manually into pieces:

  mpls-nbg-w8101-a                       MPLS Network for nbg-w8101                                         nbg-w8101  true   100.127.130.0/24     ●   
  mpls-nbg-w8101-b                       MPLS Network for nbg-w8101                                         nbg-w8101  true   100.127.131.0/24     ●   
  mpls-nbg-w8101-c                      MPLS Network for nbg-w8101                                            nbg-w8101  true   100.127.129.0/24     ●   
                                           FI-TS                                                                                                              
  mpls-nbg-w8101-d                   MPLS Network for nbg-w8101                                            nbg-w8101  true   100.127.132.0/28     ●   

This is quite a static approach and it is to be expected that this will become hard to manage for us. For example, we have to prevent that tenant A can start firewalls in the tenant B network. But how can we decide this when there are no projects related to these networks? (only static config mappings come to my mind to achieve this)

The idea is to use the existing IPAM child prefix acquisition to enable users to dynamically carve out subnetworks of the MPLS network. These subnetworks would be smaller and belong to a project, therefore we could make a decision if acquiring IPs in this network is allowed or not.

[majst01]

Additional goal: "Wish prefix" -> Let a user try to acquire a certain prefix (would be also very good for Gardener in case something goes wrong there)