In my last conversation with Jon Postel we discussed the RIR system, in particular whether it ought to be a fixed system (which it has become) or a transient system that changed in accord with the geographic density of routing prefixes and the interconnecting paths as the net evolves.

The point of our conversation was that the RIRs were a political comprise between the need to aggregate address blocks to reduce the load of passing prefixes around the world and processing them. The ideal would have been a single worldwide RIR with the power to revoke and require re-addressing. But politics intervened and as a concession RIRs were established sometimes along the lines of the geographic density of prefixes and sometimes rather arbitrarily (e.g. Africa, which at the time was essentially, as a matter of packet routing, dangling off of New York.)

I know that I left the conversation, and I believe that Jon did as well, with the feeling that RIRs would have been better formed as temporary organizations that could be created, removed, aggregated, or split, as the technical inter connectivity of the net changed.

Karl, thank you. Your recollection matters because it restores something that has been systematically obscured over time: the RIR system was not born as a sacred constitutional order. It was a pragmatic and contingent compromise, tolerated because it served a narrow technical purpose. If that is true, then the present debate is not about whether one “likes” the current RIR structure. It is about whether that structure is still operating within the terms on which it was originally tolerated.

That, in my view, is now the central question. A thin coordination layer may be justified so long as it serves running infrastructure. But once a registry system begins to place administrative discretion above already-running networks, once it uses record power, recognition power, transfer power, and procedural power against live infrastructure rather than in service of it, its legitimacy is already spent. At that point, the issue is no longer whether a particular action can be dressed up as policy implementation. The issue is whether the institution has crossed the line from coordination into domination.

That is why I think the technical community now has a duty to say something more explicit than it has been willing to say so far. It is no longer enough to describe the present crisis as merely a governance dispute, a policy disagreement, or a difficult regional controversy. The deeper reality is that the RIR model, at least in its present form, has already exhausted the technical legitimacy on which it long relied. It borrowed that legitimacy from service to the network. It cannot continue to claim it while acting against the network.

And this is not a new problem that began with one large and visible case. The present moment only makes the structure impossible to ignore. Many smaller operators, less visible networks, and weaker parties were damaged long before this. Their losses were fragmented, localized, and easy for the system to absorb. Their running code died quietly. Their continuity was disrupted without broader institutional consequence. It is precisely because so many earlier injuries remained politically manageable that the system acquired the confidence to test itself against infrastructure of much greater scale. In that sense, the present overreach did not arise from nowhere. It was trained by impunity. The courage to challenge a network of this size was accumulated from the uncounted remains of those who came before.

That is also why some leaders within the registry world could speak so casually about the fate of very large address holdings, as though the forced loss of such resources were already a normalized administrative event that institutions could simply survive and “do fine” after. That kind of statement is extraordinarily revealing. It shows how far the mentality has drifted from stewardship toward administrative sovereignty. Once people inside the system begin talking as if large live address blocks can be extinguished, reclassified, or stripped away without confronting the deeper legitimacy problem, they are no longer speaking as custodians of a narrow technical coordination layer. They are speaking as though they govern by inherent right.

Your comment is valuable because it reminds readers of the opposite tradition. If the original understanding was that these institutions were contingent, revisable, and subordinate to the evolving technical reality of the network, then the present attempt to treat them as fixed, permanent, regionally entitled authorities is not continuity. It is mutation. And if that mutation now leads them to act against running code, then the technical community should stop shielding them with inherited language from an earlier era. It should say clearly that the institution exists for the network, not the network for the institution. Once that order is reversed, the claim to legitimacy does not weaken. It ends.

This story provides useful background:

https://www.theregister.com/2026/03/13/afrinic_strikes_back_at_litigant/

Thanks, John. The Register piece is useful background, but mainly because it shows exactly what I meant by running-code betrayal. A system that was supposed to exist for the stability and continuity of running networks is no longer being defended in technical terms. Instead, the argument is displaced into institutional narrative: paralysis, proxy war, villain, victim, motive, faction. But none of that answers the central question. If the registry layer holds high-consequence power over live number resources, why is it still insulated from commensurate liability, bounded mandate, and meaningful exit? Once that question is avoided, and narrative management takes the place of technical justification, the betrayal is already visible. The issue is no longer whether the system can tell stories about its enemies. The issue is whether it still serves the networks it was meant to coordinate. Reframing the problem does not solve it. It only demonstrates how far the system has moved from running code to self-preservation.

At this point, I think the disagreement turns on a different question than the one you are framing. You are treating legitimacy as requiring representative participation of the entire operator community, and then concluding that because most operators do not directly engage in these processes, the resulting system lacks legitimacy. That is not how coordination in a distributed operational environment works.

The RIR policy processes do not derive legitimacy from claiming to represent every operator. They derive it from being open to participation, from considering contributions on their merits, and—most importantly—from the fact that their outputs are relied upon and adopted by operators globally in the course of running networks. Operators do not need to sit in the room for the system to function; they need the system to produce coherent, stable outcomes that enable interoperability so that they can run their networks. That is the test that matters in practice.

You are correct that participation is self-selecting. It has always been so in operational communities. But the alternative you are implying—that legitimacy requires broad, continuous, representative engagement across all affected parties—does not map cleanly to a system that must operate continuously, globally, and without centralized authority. The key requirement is that the system be open to participation in both policy development and governance, such that if there were indeed an issue that operators considered unacceptable, they could become more active and bring about the necessary change. That, ultimately, is the real test of legitimacy in an operational system.

If your assertions of a grave injustice to those holding number resources resonated in a meaningful way with the operator community, then it would not be difficult to generate the engagement necessary to bring about changes in policy, registry terms, governance, or other aspects of the system. That is, in fact, how the model is intended to function.

In practice, however, sustained engagement at that level is more challenging than it may appear, as the overwhelming majority of operators are focused on providing network services to their customers and view the RIR systems as successfully supporting their requirements. You apparently have different needs and expectations so it is not surprising that you find RIR system to be lacking in support for your business model.

John, this still narrows the question without answering it. You are no longer saying the process meaningfully represents the operator community. You are now saying only that it is open to participation, and that operators rely on its outputs. But openness is not legitimacy, and reliance is not consent. Operators also rely on chokepoints because they must, not because those chokepoints have earned a permanent mandate over them.

The real question is not whether operators can, in theory, enter the room. The real question is whether the room remains disciplined by the narrow purpose that justified it in the first place: serving running networks. Once administrative power is used against live infrastructure on weak or contestable policy grounds, the legitimacy problem has already appeared. At that point, saying the process was open is not an answer. It is an evasion.

Your formulation also reverses the burden. Instead of the institution proving that it remains narrow, restrained, and subordinate to the network, operators are told that if they object, they should spend more time in the room and repair the system themselves. But a thin coordination layer was tolerated precisely so operators could run networks without constantly policing a private administrative class.

And these rooms are not merely self-selecting. They also speak a procedural language that few outside the process use and almost no normal operator has time to decode. A room does not become legitimate simply because the door is technically unlocked, especially when the language inside has become so specialized and self-referential that outsiders can no longer tell whether they are hearing administration or theology. A closed procedural culture can always call itself open.

Nor is low participation evidence of approval. In operational systems, diffuse dependence, fragmented harms, switching costs, and chronic time scarcity usually produce quiet compliance right up to the point of crisis. In any authoritarian structure, support is like blood oxygen: once it falls below a critical threshold, the organism may still be standing, but it is already in distress. After five years of visible resistance, widening disbelief, and growing support outside the ritual structure, the registry system still seems to imagine that operator silence means everything is fine. That is not health. That is institutional hypoxia.

You also say the system operates without centralized authority. That is exactly what is in dispute. The RIR model may not be sovereign in public-law terms, but it plainly exercises centralized administrative authority at the registry layer: over recognition, records, transfer, classification, and continuity. If it had no real administrative power, none of this would matter. The problem is that it does, and that it has begun to use that power against running code rather than in service of it.

That is why your appeal to “the operator community” now rings hollow. The operators who use my services are operators too. The ISPs who supported my candidacy are operators too. The parties that backed me with votes, money, and public support are operators too. They did not come through years of internal patronage or institutional deference. And after five years of efforts to isolate, caricature, and discredit me, that support did not disappear. It grew. That is not a personal point. It is evidence that the present RIR process does not uniquely express operator will, and never did.

Cloud Innovation serves thousands of networks globally. At least two million websites sit on these IP resources. The services and connectivity that depend on them reach hundreds of millions of users around the world. A system willing to endanger infrastructure of that reach without even a valid general policy basis cannot rescue itself by saying the room was open. If anything, the scale only makes the legitimacy failure more obvious.

This is why mandate laundering matters. A narrow coordinating role is wrapped in procedural ritual, consensus language, regional rhetoric, and institutional myth until it is made to look like something much larger than it actually is. Private administrative power goes in. Quasi-public legitimacy comes out. A room begins to speak as if it stands above the network it was only ever meant to serve.

So no, this is not fundamentally a disagreement about how much participation is enough. It is a disagreement about what legitimacy actually requires. A room is not the operator community. Openness is not consent. Dependence is not endorsement. And a system that uses administrative power against running code, then points to its own procedural openness as proof of legitimacy, is not preserving the technical tradition from which it once borrowed authority. It is exhausting it.

John, this still avoids the core issue. I did not argue that outcomes never change. I argued that the existence of procedural change does not by itself establish legitimacy. A system can be changeable and still be structurally unrepresentative. It can be open in form and still function as a narrow administrative culture in practice. It can allow occasional intervention and still rest on diffuse dependence, fragmented harms, and chronic disengagement. The fact that participation sometimes changes outcomes does not answer whether the model remains entitled to deference once administrative power is used against running code.

That is the point you continue to step around. My argument is not “operators can never influence the room.” My argument is that the room does not become the operator community merely because some operators can occasionally influence it. Influence is not representation. Access is not consent. Changeability is not legitimacy.

You also say operators “rely on those who do participate to carry forward shared operational perspectives.” But that is exactly the kind of mandate laundering now under dispute. A narrow and self-selecting class of policy regulars, staff, lawyers, and institutional insiders is treated as though it naturally carries the will of a much broader population that largely is not present, does not share the same incentives, and often only notices the system when it is already being acted upon. That is not a trivial feature of multistakeholderism. It is the danger of it.

And this is where the comparison to IETF and ICANN does not rescue the argument. The relevant question is not whether all Internet institutions have self-selecting participation. Of course they do. The relevant question is what kind of power they exercise, and what happens when that power is turned against already-running infrastructure. Once a registry layer uses administrative power against live resources on weak or contestable policy grounds, the burden changes. At that point it is no longer enough to say, “the process is open, and people could have shown up.” A system that exists to serve running networks cannot keep its legitimacy merely by pointing to its procedural changeability after it has begun acting against the thing it was supposed to protect.

That is why the AFRINIC case matters so much. This is not an abstract complaint about imperfect participation. It is a case in which live infrastructure of global consequence was put at risk, on a policy basis that was at best contestable, and the wider RIR order still chose to defend the institution first. Once that happens, appeals to normal multistakeholder process no longer sound like reassurance. They sound like ritual cover.

That is why we are no longer arguing about the same thing. You are defending the amendability of the process: the claim that outcomes can change if enough people enter the room. I am raising the prior question on which that entire defense depends: whether a model that uses administrative power against running code still has any technical legitimacy left at all. Those are not two versions of the same argument. They are arguments at different levels. Yours assumes the model remains legitimate and asks whether it can be adjusted from within. Mine asks whether, once the model has begun acting against the very running infrastructure in whose name it was tolerated, that legitimacy has already been consumed. If that prior question is not answered, then pointing to the process’s capacity for amendment proves very little. A system can be amendable and still no longer deserving of deference.

John, this response still collapses the distinction that matters most. No serious person argues that the Internet must never change. Protocols evolve. New capabilities are deployed. Operators migrate, adapt, and absorb the consequences in the course of running real networks. That is normal. But that is not the issue here.

The issue is that you are treating technical evolution and administrative power as though they were the same thing. They are not. QUIC, DNSSEC, RPKI, and similar changes become real through implementation, deployment, interoperability, and operational judgment. A registry layer using recognition power, record power, transfer power, and classification power to put already-running resources into uncertainty is something fundamentally different. That is not the network evolving. That is an institution acting upon the network.

That distinction is not rhetorical. It is the whole legitimacy question. The technical community tolerated coordination because it was supposed to serve running code, not sit above it. A thin layer that records uniqueness is one thing. A private administrative structure that can materially affect live infrastructure and then describe that act as merely “coordinated change” is another. Once those two things are blurred together, any exercise of discretionary power can be dressed up as normal evolution. That is exactly the danger.

Your argument also continues to smuggle in a representative claim that has never been earned. You speak of “operators” participating, objecting, and influencing outcomes, as though the existence of a self-selecting process were enough to make the room equivalent to the operational community. It is not. A narrow policy room does not become the operator community simply because participation is technically open. Access is not representation. Openness is not consent. Dependence is not endorsement.

And the burden cannot simply be pushed back onto operators every time the system acts beyond its legitimate bounds. “You could have shown up” is not a sufficient answer when the institution is already using administrative power against live resources. That does not defend legitimacy. It merely shifts the cost of policing the institution onto the people who were supposed to be able to trust that the institution would remain narrow, restrained, and subordinate to the network in the first place.

This is why the problem is no longer well described as mere overreach. It is more advanced than that. A narrow administrative function has been wrapped in ritual language—community, consensus, participation, coordination—until it is made to appear as though it carries a broader mandate than it ever possessed. That is mandate laundering. Private administrative power goes in. Supposed public legitimacy comes out. The room speaks as though it stands for the network, when in fact it was only ever tolerated as a tool serving the network.

So no, the decisive question is not whether operators can theoretically participate when they dislike an outcome. The decisive question is whether a model that has begun using administrative power against running code still deserves deference at all. Once that prior legitimacy has been consumed, pointing to amendability, openness, or historical participation proves very little. A system can be changeable and still no longer be legitimate.

That is why this is no longer just a disagreement about process. It is a disagreement about what kind of thing the RIR system has become. If it were still a thin coordination layer, the defense you offer might be enough. But once it begins acting against live infrastructure and then borrowing the language of community to justify itself, it is no longer merely coordinating the network. It is attempting to govern it. And that is precisely the line it was never supposed to cross.

Lu Heng –

I understand the distinction you are trying to draw between “technical evolution” and “administrative power,” but in practice that separation does not hold. Protocols that are deployed get revised, policies for administration of the name and address registries get revised, and these changes will, at times, affect existing deployments—it’s the nature of any evolving coordinated system.

The relevant question is whether those decisions are grounded in shared policy and subject to community-based processes for change—I believe that is the case with our Internet multistakeholder organizations, and that such is sufficient, and you apparently feel otherwise.

It’s certainly been proven sufficient to enable the remarkable success of the Internet to date, but I’m willing to acknowledge that isn’t necessarily a predictor of the future.

John, this still avoids the key distinction. No serious person argues that the Internet must never change. Protocols evolve. Capabilities are deployed. Standards are revised. Operators adapt. But that does not mean every institutional act that affects existing deployments is therefore equivalent to technical evolution. That is the category error at the center of your reply.

There is a reason this matters so much to engineers. Many systems look acceptable while they are lightly stressed. Beta software can appear fine in production right up until scale, dependency, and real-world load expose how fragile it actually is. The famous US-East AWS outages are remembered for exactly that reason: they showed how much hidden systemic risk could sit beneath a system that otherwise seemed successful and widely relied upon. In 2011, AWS’s own post-event summary described how a failure in EBS replication and the resulting remediation actions created significant cross-region API impact in US East; in 2017, AWS’s S3 postmortem described how a debugging command removed more server capacity than intended in US-EAST-1, causing broad disruption.

That is the analogy here. The fact that a system has functioned, or even functioned remarkably well for years, does not prove that its present form remains legitimate. It may simply prove that the system once operated close enough to its original mandate to avoid exposing its deeper fragilities. The real question is not whether the Internet succeeded while RIRs existed. The real question is whether that success was driven by the RIR model **as it originally was**—narrow, restrained, and subordinate to running code—or by the RIR model **as it is now becoming**—more expansive, more administrative, and more willing to act upon live infrastructure. Those are not the same thing.

That is why appeals to historical success do not settle the issue. A system can accumulate credibility while it stays within bounds, then begin consuming that credibility once it moves beyond them. If the RIR layer began as a thin coordination function, then its original success cannot automatically be invoked to justify its later expansion into something closer to quasi-sovereign administrative power. Past usefulness is not a perpetual mandate.

And that is exactly what is under dispute. A registry layer that records uniqueness and facilitates coordination is one thing. A registry layer that uses recognition, record, transfer, and classification power against already-running resources is another. Once that shift happens, the issue is no longer “the Internet evolves.” The issue is whether a private administrative structure has begun to act as though it stands above the network rather than beneath it.

So the relevant question is not whether change can affect existing deployments. Of course it can. The relevant question is whether the institution making those changes is still acting within the narrow role that made it tolerable in the first place. If the answer is no, then pointing to the Internet’s historical success proves very little. It may only prove that the model worked when it remained true to its mandate, not that it remains legitimate after it expands beyond that mandate.

That is the deeper problem with the present defense. It treats all impact as if it were the same: protocol revision, operator deployment, and registry-layer administrative action are all blended together under the heading of “coordinated change.” But they are not the same. And once those distinctions are blurred, any institutional expansion can be redescribed as normal evolution. That is not a defense of legitimacy. It is how legitimacy gets laundered.

Lu Heng –

I want to make sure that I’m understanding the point you’re trying to make, so I have taken some time to carefully reread your blog post and associated replies. I know that you are aware of the nature of the multistakeholder model used by the IETF, RIRs, and ICANN for policy development, and that you recognize that the global, pervasive nature of the Internet effectively results in these policies governing the underlying coordination systems of standards and associated registries – including specifically the protocol, domain name, and number registries.

The RIR system involves five organizations that openly meet and develop policies for the administration and operation of the Internet number registry system. These member-based organizations also provide the associated services necessary for use of the registry system, including fees, terms and conditions, and agreements. Legitimacy in the RIR system does not derive from adherence to some original design constraint, but from the continued operation of open, participatory processes that allow the community to define, refine, and govern that system over time.

At one point you stated that you “have no issue with current institution of AFRINIC, or RIRs by its extension… I believe the pioneers of the internet have designed a brilliant system… but the system… needs support to return it to what it was designed for – a community driven, bottom up system.” [1] You have even run for the board of an RIR calling for improved governance, so it is clear that, at least at one point, you believed in the legitimacy of the overall RIR framework and its membership-based governance structure.

In reviewing your CircleID blog post, I have difficulty discerning whether this is still the case. You express concern over a consensus policy decision in AFRINIC and the lack of intervention by other RIRs – despite the fact that such matters fall squarely within each RIR’s member-based governance structure.

As a result of these events, you now appear to have moved to a different position – that there is no legitimacy in the RIR system itself, i.e., that the open, community-based policy development process and member-based governance cannot validly represent the operational community. You suggest that RIRs are “laundering legitimacy” when they adopt policies with which you disagree.  You are that this is particularly the case when such policies fall outside a remit that you now seek to define on behalf of the “operator community.”

I will be the first to acknowledge that the open, community-based policy development and governance system of the RIRs requires active participation from the operational community to remain relevant. That participation is clearly demonstrated by the thousands of operators who engage each year in RIR policy development, meetings, and elections across the globe. The scale and visibility of that participation provide a stronger basis for assessing community position than any individual claim to represent the global operator community.
 
You assert an “expansion beyond mandate” but mandate of each RIR is not externally fixed, nor historically frozen – it is defined through the same open, bottom-up processes in which operators participate. As operational needs evolve, so to do the policies, registry practices, and associated services – including changes to registration data, service offerings, and terms and conditions. These are not unilateral institutional expansions; they are the result of community deliberation and adoption. The Internet is not static, and neither is the coordination framework that supports it.
 
But in the interest of constructive deliberation, I will ask the obvious question: if you believe that the structure or remit of the RIR system is improper, what is the next step? Established paths for change include running for an RIR governing board or bringing proposals through policy development processes - and the RIR system does evolve through these mechanisms.

So I ask plainly: are you proposing an alternative mechanism for determining legitimacy, or asserting the authority to define it unilaterally on behalf of the global operator community? 

As a result of your angst about AFRINIC, you’ve moved to disclaiming the legitimacy of the RIR processes that the operator community presently uses to evolve on policy and governance matters – so how exactly do you intend show that your newly found “mandate-limited” registry vision is in any way representative of the global operator community?  I will observe that RIR’s have governing boards each elected by the respective community, and assessing the validity of such representation is rather straightforward – it would be good to hear an explanation of your proposed alternative and its basis for validity.

[1] https://www.ripe.net/ripe/mail/archives/members-discuss/2022-July/004596.html

John, thank you for taking the time to reread the article. But this response still assumes away the core issue. You say legitimacy in the RIR system comes not from adherence to some original design constraint, but from the continued operation of open, participatory processes. That is exactly where I disagree. If the original mandate was narrow—coordination in service of running networks—then process cannot simply redefine that mandate upward without limit. A room does not become sovereign over the network merely because it is procedurally open. Process can refine a mandate. It cannot erase the boundary that made the institution tolerable in the first place.

That is also why my earlier support for better RIR governance is not a contradiction. I did support the model when understood as a community-driven, bottom-up coordination layer. I still have no difficulty with a thin registry function. What I do not accept is the mutation of that function into something much thicker: a quasi-public authority claiming power over resource destiny, narrowing exit, and imposing region-based control over already-running infrastructure. Support for the former does not validate the latter.

I did not invent that narrow conception. At earlier RIPE meetings, the point was stated to me very plainly by one of the founders: the registry was, at bottom, a bookkeeper. That was the original discipline. The institution existed to serve running systems, not to stand above them. If that now sounds like “my” line, that is not because I rewrote the history of the model. It is because the model forgot its own first principle, and I am repeating it back to you.

That is why I call this running-code betrayal. The issue is not whether the Internet evolves. Of course it does. Protocols are revised, capabilities are deployed, standards mature, and operators adapt. The issue is whether a private administrative layer that was tolerated as a narrow coordinating function can retain technical legitimacy once it begins acting against already-running infrastructure. That is a different question. Technical evolution is one thing. Administrative power used against live resources is another. Once the latter begins, the borrowed legitimacy of the former is already being consumed.

AFRINIC is therefore not a persuasive example of settled, bottom-up legitimacy at work. The transfer policy you are implicitly leaning on was appealed. The appeal was set aside in a period when AFRINIC lacked a functioning board. The later ratification took place amid prolonged governance breakdown and is now itself under challenge. That is not a clean illustration of calm member-based legitimacy. It is an example of institutional authority, policy pedigree, and ratification posture all being under strain at the same time. In those circumstances, simply repeating “community-based governance” does not answer the problem. It only reveals how much work that phrase is being asked to do.

You also continue to put far too much weight on the phrase “the operator community.” A narrow and self-selecting process, conducted in a procedural language few normal operators use and fewer still have time to decode, does not become the operator community merely because participation is technically open. Most operators are not in those rooms. Most do not live in policy ritual. Most only encounter the system when it acts on them. Treating the outputs of that narrow environment as though they naturally embody global operator will is precisely the mandate-laundering problem. A mailing list becomes a supposed people. A fee-paying membership class becomes a supposed constituency. A room begins to speak as if it stands above the network it was only ever meant to serve.

That is also why the “thousands participate” point does not settle anything. The relevant question is not whether a process can show attendance, elections, or occasional change. The relevant question is whether the institution remains subordinate to running code. Once administrative power is used against live resources on weak or contestable policy grounds, legitimacy is already being consumed. At that point, saying “operators could have participated more” merely shifts the burden from the institution proving restraint to the network defending itself against the institution.

And that is exactly why criticism alone is no longer enough. Once the system begins borrowing legitimacy from old language while acting beyond its old mandate, the answer cannot just be another round of ritual argument inside the same rooms. The answer has to be transition.

First, reality must come before advocacy. Registry-side risk has to be made visible, documentable, intelligible, and continuous. ( https://btw.media )  What procedural language makes mystical has to be rendered ordinary. What is hidden inside process has to be surfaced as risk, pattern, leverage, and consequence. That is why a reality-and-intelligence layer matters. The point is not propaganda. The point is legibility.

Second, continuity must come before constitutional change. Operators cannot be asked to carry existential governance risk with no bridge. If instability is real, there must be somewhere to stand ( https://larus.net )while the old discretionary layer is losing authority. Continuity cannot remain a slogan. It has to exist as deployable infrastructure, contractual certainty, and real-world commercial capacity. A thinner system will never be built if operators first have to risk being crushed by the old one.

Third, coordinated protection( https://nrs.help/nrs-shield/ ) must come before decentralization. The present order punishes fragmentation. Smaller operators and resource holders are weaker when isolated, stronger when represented together, and hardest to discipline when continuity risk, legal risk, and governance risk are pooled rather than individualized. That is why a nonprofit member-side protection layer matters. It is not the final constitutional settlement. It is transition capacity made operational.

Over time, a more decentralized end state still matters, because no durable answer can simply replace one priesthood with another. But decentralization here is chronological, not rhetorical. First the old monopoly over language and continuity has to be weakened. Then dependence has to be made survivable. Only then can thinner coordination become more than a slogan.

These are not the destination. They are transitional organs.

That is also why I am not claiming unilateral authority to define legitimacy on behalf of the world. I am making a narrower claim: legitimacy has conditions. A system tolerated as a thin coordination layer cannot keep borrowing technical legitimacy once it begins acting against the running infrastructure in whose name it was tolerated. When that drift becomes structural, reform cannot be left entirely to the ritual class that benefited from it. The replacement is not another priesthood. The replacement is organized transition.

So this is not simply a disagreement about process design. It is a disagreement about what kind of thing the RIR system has become. If it were still a thin coordination layer, your defense might be enough. But once it begins acting against live infrastructure, narrowing exit, laundering mandate through ritual language, and asking the harmed world to treat that as community legitimacy, the issue is no longer ordinary governance. It is running-code betrayal. And running-code betrayal cannot be cured by more ritual. It requires transition, and finally, replacement.

Lu Heng -

You argue that legitimacy comes from adherence to an original, narrow mandate, and that process cannot expand that mandate beyond its initial bounds.

Alas, I disagree. There is no externally fixed mandate, as the registry instantiates the community’s desired coordination model.  Legitimacy comes from the continued operation of open, participatory processes that allow the community to determine how coordination must function over time, and the distinction you draw between protocol evolution and registry action does not hold in practice.

The registry system is part of the coordination infrastructure of the network, not external to it. As network operators needs change, the registry will change, and this may includes services, policies, and terms previously that did not exist –  the question is not whether there is impact, but whether that impact arises from legitimate, open processes that can be revisited and changed.

Your critique of participation also does not resolve the issue. Openness provides legitimacy; participation determines outcomes. If participation is insufficient, that is a problem for the community to address within the process – not evidence that the process itself is illegitimate.

So I must ask again, by what mechanism does your proposed alternative derive legitimacy?

Critique alone does not establish authority, and if the legitimacy of your proposed model does not come from open, community participatory processes, where does it come from – and how is it valid?

You state that “legitimacy has conditions” - On this I agree, but where we apparently disagree is that I believe those conditions are set by the multistakestakeholder community through open and transparent processes, whereas you appear to be conjuring those conditions out of your particular beliefs about what makes appropriate constraints on the RIR system. 

By trying to force your views of a sacrosanct “original mandate” and specific “legitimacy conditions” upon the RIR system, you are effectively trying to preempt the community’s ability to discuss and decide those topics themselves…  And so yes, you are indeed proposing displacement of community-based governance with Lu Heng based goverance – attempting to establish particilar conditions on the RIR system absent any demonstrated legitimate process.

The question of whether the appropriate mandate for the RIR system has been exceeded is something for the community to determine, either in collectively or via elected leadership.  I’m really not sure there’s much more to say, as your attempted usurption of that right is simply incompatible with community-based self-governance.

John, this response finally makes the problem plain. You are no longer merely defending a process. You are defending the proposition that a process may define its own mandate, expand that mandate over time, and derive legitimacy from the same ritual by which it expands itself. But that is not an answer to the legitimacy question. It abolishes the question.

Because once a process may set its own scope without external limit, there is no principled boundary left. A narrow coordination layer can become a broad administrative authority simply by blessing itself through its own procedures. Today it is a bookkeeper. Tomorrow it is a gatekeeper. The day after that it claims the right to determine resource destiny, constrain exit, and act upon live infrastructure because the room says so. That is not bottom-up legitimacy. It is self-authorizing power.

The absurdity is obvious the moment one removes the familiar vocabulary. A room of ten bookkeepers cannot hold an open meeting and crown itself sovereign. A committee of clerks cannot begin with record-keeping and end with authority over geography, continuity, transfer, and survival merely because its meetings are open and its minutes are published. Openness does not transmute function into sovereignty. Process cannot vote itself a throne.

That is also why the distinction between protocol evolution and registry action must hold. Protocol changes become real through implementation, deployment, interoperability, and operator adoption. Registry actions become real through recognition, records, contracts, transfer gates, and classification. One works through running code. The other works through administrative leverage over running code. To blur those together because both may “affect existing deployments” is precisely how mandate laundering happens.

And this is where the cultic element enters. The problem is not merely that the room is narrow. The problem is that it begins to speak in a priesthood language that few outside the process use and fewer still have time to decode, then treats that language as proof of authority. Ritual becomes reality. Procedure becomes sanctification. The room no longer says, “we are one administrative layer among others.” It says, in effect, “we are the community, and therefore whatever emerges from our ritual carries legitimacy.” That is not technical modesty. It is institutional theology.

A mailing list becomes a supposed people. A fee-paying membership class becomes a supposed constituency. A narrow procedural culture becomes a supposed public. And once that transformation is accepted, dissent is no longer treated as a warning that the institution may have drifted beyond its mandate. It is treated as though it were heresy against the community itself. That is why this is more than mere overreach. It is a priesthood trying to consecrate its own power.

That is also why my point is not “Lu Heng should define legitimacy.” It is the opposite. No room, including one populated by people who agree with me, should be allowed to launder itself from narrow coordination into open-ended authority. The legitimacy of a registry layer does not come from its ability to vote itself a larger role. It comes from staying within the narrow role that made it tolerable in the first place.

And once that is understood, the present structure becomes much easier to see clearly. What is being defended here is not simply a community process. It is a model in which private administrative power goes in, ritual language is wrapped around it, and supposed public legitimacy comes out. That is mandate laundering. And when a system begins using that laundered mandate against running code, then calls the result “community self-governance,” the technical community should stop mistaking inherited vocabulary for living legitimacy.

So yes, this is still running-code betrayal. The problem is not that a process produced a result with which I disagree. The problem is that a model once tolerated as a thin coordinating layer now claims the right to redefine its own remit, act upon live infrastructure, and then call that legitimacy because the room was open. That is not a defense of community governance. It is the point at which community language becomes a costume for administrative power.

John, this response makes the circularity clearer, not weaker. You ask: if legitimacy does not come from process, where does it come from? It comes from the nature of the problem being coordinated. The number registry was tolerated because the problem was narrow: global uniqueness, common records, and continuity. That functional problem sets the outer boundary. The room did not create that problem, and therefore the room cannot use process alone to enlarge its authority beyond it.

No sovereign is required for this argument. On the contrary, the absence of a sovereign is exactly why the mandate must remain narrow. There is no demos, no territory, no public law, no taxation, and no general political authorization from which a private registry process can derive open-ended authority over resource destiny. A process may refine how a narrow coordination function is carried out. It may not vote itself into a broader right over transfer, geography, exit, and already-running infrastructure. A bookkeeper cannot vote itself sovereign.

This is also why your “false alternative” point misses the mark. The choice is not between a frozen historical snapshot and limitless procedural expansion. Mandates can evolve at the margins while remaining bounded by function. Accounting practices can change without turning accountants into courts of property. Routing coordination can evolve without turning coordinators into sovereigns. Likewise, registry procedures can adapt without converting a thin coordination layer into a quasi-public authority over already-running resources.

That is what your theory cannot explain. If openness, transparency, revisitability, and elections are enough, then there is no outer limit except the self-restraint of those already inside the room. That is not community self-governance. It is committee self-consecration. And it is especially fragile here because the room is narrow, self-selecting, and conducted in a procedural language that few normal operators use and fewer still have time to decode. A process does not become the operator community merely because participation is technically open.

So when you ask what defines the boundary, the answer is straightforward. The boundary is defined by the function that made the registry tolerable at all: preserve uniqueness, support continuity, minimize discretion, and remain subordinate to running code. Who determines whether that boundary has been crossed? Not Lu Heng alone, and not any single room alone. It is determined by whether the institution’s acts remain consistent with that narrow function or instead begin using administrative power against the infrastructure in whose name that power was tolerated. Open process can apply rules within those bounds. It cannot erase the bounds themselves.

And that is why the lack of an instantly complete replacement does not save the present model. One does not need a new constitution in hand to recognize that a bookkeeper has started behaving like a sovereign. The inability of the current room to imagine a thinner alternative is not proof that its present expansion is legitimate. It is only proof that the ritual class has begun to confuse its own process with the source of authority.

That is still the issue. Once process claims the right to define its own outer limits, it stops being a coordinating mechanism and starts becoming a self-justifying power. That is not community governance. It is running-code betrayal.

Lu Heng –

Okay, so you’re saying legitimacy comes from the function being coordinated, and that function sets a boundary that process can’t expand. Fine – for sake of discussion, let’s take that at face value.

That framing still leaves a critical question unanswered: a boundary defined by function doesn’t enforce itself.  It will need to be interpreted and applied in order to decide when it’s been crossed.

So when you say the registry has to stay “narrow,” the obvious question is – who decides that, and how are disagreements resolved? (The answer is clear in the present RIR system. Folks may not be happy with an RIR Board decision, but it is clear how a decision is reached and clear recourse if community sentiment differs.)

You’ve ruled out a sovereign, which is fine – I don’t think one is needed either. But without some defined process for deciding what’s “in scope” of your boundary function, you don’t actually get constraint – you just get each participant making their own call when there’s a question of interpretation. That’s not restraint, that’s chaos.

That’s the core gap in your argument. Function tells you what a system is for, but not how to run it. Even a “thin” coordination role still needs decisions about scope, application, and change. Those questions arise all of the time and decision have to happen somewhere; decisions that need to be visible and understood by the people using the system.

You’re saying process can’t define its own limits. But you’re not offering anything that works in practice as an alternative. Invoking “respect running code” or claiming a narrow scope of function does not resolve disputes or determine how and when change occurs.

So we’re back to the same question: if your alternative model depends on some presumed boundary, who actually applies that boundary and how? Because right now, your alternative relies on a set of constraints that are apparently to be interpreted by undefined parties and processes, so it’s quite reasonable that the operator community will view your proposed “solution” with a bit of skepticism.  (Certainly it makes it challenging to see if the purported solution is any better than present situation.)

John, your latest comment finally states the premise plainly: because some boundary must be interpreted and applied, the process that exists today may define that boundary for itself. But that does not solve the legitimacy problem. It simply restates it. The need for decisions does not, by itself, create authority. A scorekeeper at a card table may record the points and resolve whether a hand was counted correctly. He does not thereby become king of the game, owner of the chips, and master of the house. The fact that a system needs rules does not mean the bookkeeper may crown itself sovereign.

That is exactly where the present RIR logic breaks down. You assume that because the number registry needs ongoing coordination, the existing room may define the scope of that coordination for itself. But the boundary does not come from the room. It comes from the nature of the problem. The reason the registry layer was ever tolerated was that the problem was narrow: uniqueness, common record, continuity, and public audit. The room did not create that problem. The network did. So the room cannot use its own procedures to enlarge its authority beyond the function that justified its existence.

And that is why “who decides?” does have an answer that does not require a sovereign. The answer is that far more of the boundary should be pushed into architecture, and far less should be left to discretionary ritual. The minimal uniqueness layer should be reduced to what can be objectively verified: common record, provenance, ordering, transaction validity, and the narrow conflict rules necessary to preserve interoperability. That is a much smaller domain than the present registry priesthood likes to imply.

At that point, most of what is now called “decision” stops being political in the first place. A thin uniqueness layer does not need to decide every difficult social or commercial question. It needs to maintain a common, auditable substrate on which interoperability depends. That substrate can be carried by a distributed ledger with independent validating nodes, public auditability, transparent rule sets, and visible software behavior. In that model, the core is not governed by a room in the political sense. It is constrained by thin protocol, public verification, and shared state.

How then does change occur? Not by a room of regulars blessing itself into a larger ontology. Changes are proposed publicly, implemented in software, tested in the open, and only become operative when independent nodes and clients explicitly adopt them and activation thresholds are reached. That is much closer to real operator will than a narrow policy class speaking in its own ritual language. The point is not to abolish coordination. The point is to relocate authority from rhetorical consensus inside a room to observable distributed adoption across the actual system.

That is also why the hard cases should not all be dragged upward into the uniqueness layer as if every difficult question proves the need for registry sovereignty. If A and B dispute ownership, they go to court. If contracts are in dispute, they go to contract law. If sanctions are at issue, they belong to states. If fraud is alleged, it belongs to ordinary law, plus only the narrowest objective proofs where revocation is truly unavoidable. You cannot argue that because ownership disputes exist, the registry itself must become the authority that decides ownership. We already have mechanisms for those questions. The thin ledger exists to preserve interoperability, not to become priest, judge, and governor all at once.

That is the key difference between a genuine thin alternative and the present model. The present RIR order treats the existence of disputes as proof that the room must keep expanding its mandate. A thinner architecture does the opposite. It removes from the uniqueness layer everything that does not strictly belong there, and leaves only the minimum necessary for shared operation. That is why this is not “basically the same thing” in different packaging. One model centers discretionary ritual. The other centers constrained protocol.

This is also why your “clear process” defense is weaker than it appears. Clarity of procedure is not legitimacy. A cartel can have bylaws. A priesthood can have transparent ritual. A room can publish minutes and still exceed its mandate. The question is not whether today’s process can produce a visible decision. The question is why that process should be allowed to define the outer limit of its own authority. Once the same class that benefits from the institution also claims the right to determine how far the institution may reach, the circularity is complete.

Nor does the temporary absence of a finished replacement validate the present system. Direct overnight substitution would indeed create disorder. That is why transition organs matter. The answer is not vacuum, and it is not “Lu Heng governance.” The answer is staged transition: first a reality-and-intelligence layer so registry-side risk becomes legible; second a continuity layer so operators have somewhere to stand while the old discretionary layer loses authority; third a coordinated protection layer so fragmentation no longer remains the registry class’s best defense. I have set this out in more detail in my recent piece, *Mandate Laundering: From RIR Fantasy to Transition Architecture*. More formal alternatives will emerge, and some should begin entering beta over the next 6–12 months. But whether replacement is immediate or staged has nothing to do with whether ten people in a room may speak as if they possess cross-continental sovereignty today.

That is the real absurdity here. The argument has quietly become: because some mechanism is needed to resolve disputes, the present ritual class may define the scope of its own power. No. The need for a steering wheel does not make the mechanic the owner of the road. The need for a ledger does not make the clerk the sovereign of the system recorded in it.

So the answer to your question is not chaos. It is the opposite. It is a thinner, more explicit, more auditable order in which the registry layer is constrained by function, protocol, and public visibility, and in which everything that does not belong to uniqueness is pushed back out of the registry priesthood and into the places where it actually belongs.

That is why this is still running-code betrayal. The problem is not that a process exists. The problem is that the process now claims the right to define its own outer limits, act upon live infrastructure, and call that legitimacy because someone has to decide. That is not community self-governance. It is mandate laundering. And once a bookkeeper begins to speak as if it were the state, the technical community should stop mistaking ritual for restraint.

Lu Heng –

This is helpful – you’ve finally outlined an actual model, not just a critique.

But it still doesn’t resolve the core issue – it just moves it.

You’re proposing to push more of the boundary into architecture and reduce the need for institution-based decision-making – this is fine in concept. But even still, that architecture has to be defined & implemented, and it will inevitably evolve over time. Software doesn’t write itself – someone sets the rules, someone implements them, and someone defines the thresholds when changes are adopted. Even in distributed ledger systems, the decision rules (consensus, validation, and activation thresholds) must be defined and can change over time.

So saying “nodes adopt” doesn’t remove governance – it subtly shifts the initial control to those who define the rules and then it relies on the process of adoption to hopefully produce some form of true distributed authority. The good news is that your proposed “thin alternative” will eventually be revealed its structure, and at that point the operator community will be able to see and assess your actual governance mechanisms. At that time, it will also be possible to evaluate whether they will make for a system that is open, participatory, and accountable, and so this should make for an interesting comparison to the current RIR framework.

John, of course embedding more of the decision architecture in software does not eliminate decision-making. That was never the claim. The claim is narrower and more important: it changes the scope, location, and character of decision-making. That is the point.

Yes, someone defines rules. Yes, someone writes code. Yes, thresholds and upgrade conditions must exist. But that is not the same thing as giving a small administrative class continuing authority over already-running resources. Under a thinner architecture, the decision surface is radically reduced. The core questions become: what is the minimum shared record necessary for interoperability, how is validity checked, how is ordering maintained, and what threshold is required for adoption? That is a much smaller and cleaner problem than “which room may decide resource destiny, constrain exit, reinterpret mandate, and act on live infrastructure.”

And the difference is not cosmetic. In the current model, a narrow institutional class can use recognition, records, contracts, transfer gates, and classification to act upon operators. In the thinner model, code authors propose but do not impose; the network disposes through visible adoption. That does not abolish governance. It subjects governance to much tighter constraints. The question is no longer “who inside the room can authorize what?” The question becomes “what minimal rules are explicit enough, objective enough, and narrow enough that distributed operators are willing to run them?”

That is why “someone still writes the software” is not a serious equivalence. The fact that engineers design a bridge does not make the bridge authority sovereign over the river. The fact that protocols need maintainers does not mean the maintainers acquire the right to govern everything touched by the protocol. Under a thin uniqueness layer, the software governs only the minimum substrate necessary for shared operation. Everything else—ownership disputes, contracts, sanctions, political coercion, broader commercial conflict—stays outside the registry layer where it belongs.

This is exactly the point you continue to blur. The problem was never that decisions exist. The problem was that the present RIR order uses the existence of decisions to justify a much broader administrative role than the underlying problem requires. “Someone has to decide” is not a license for mandate expansion. It is not a warrant for committee sovereignty. It is certainly not a basis for allowing a narrow room to keep redefining its own scope.

So yes, the future thin model will have to be seen, assessed, tested, and compared. I agree with that completely. But that comparison itself already proves the larger point: the issue is not whether governance exists, but whether it is thin enough, explicit enough, distributed enough, and subordinate enough to running code to remain legitimate. That is precisely the comparison the current RIR system has spent years trying to avoid.

If you want the fuller answer, including the transition organs that make a thinner alternative survivable rather than chaotic, I have now set that out in Mandate Laundering: From RIR Fantasy to Transition Architecture.

One final point of intellectual honesty. The words “distributed ledger,” and some of the thinking behind that thinner architecture, do not originate entirely with me. Some of it comes from a mentor for whom I have great respect — one of the very few people in the RIR system who has earned that respect. I do not intend to take credit that is not entirely mine. In time, when these matters have settled enough to be described properly, I may write that story more fully elsewhere, perhaps in a book.

Lu Heng –

I agree that the real question is how governance is structured, constrained, and evaluated. But I don’t agree that the RIR system has been avoiding that comparison, as that comparison is exactly what the RIR community processes have been doing for decades – examining scope and evolving governance over time. Even the current RIR governance work underway reflects a willingness to revisit the structure and improve it in the open.

Your model should absolutely be seen, assessed, tested, and compared. But that comparison runs both ways. The RIR system has been subject to continuous scrutiny and evolution in practice – you might not be a fan of it, but it underlies the present Internet and is supported by an active community of thousands of network operators. Your proposed model has yet to demonstrate how it performs under those same conditions (and the level of support it might garner.)

John, I welcome the comparison. Any serious alternative should be seen, tested, and compared in the open. On that point, we agree.

My point is only that the comparison should be made on the right basis. The question is not whether the incumbent is older, larger, or more deeply embedded today. Those things prove installed base and path dependence. They do not, by themselves, prove continuing legitimacy.

The real questions are narrower. Has the present RIR model remained true to the thin coordination role that originally justified it? Does it still stay subordinate to running code, or has it drifted into broader administrative power over live resources? And can a thinner architecture preserve interoperability, continuity, and common record with less discretion and less mandate drift? That is the comparison worth having.

I have now outlined the transition architecture publicly. Further implementation detail will be released when ready. The fact that transition must be staged does not validate every expansion of the present model. It simply means replacement has to be engineered carefully. If the comparison is made on those terms, I welcome it.

Lu Heng –

I agree the comparison should be made on the right basis. You frame that around “thinness,” staying close to running code, and avoiding drift – criteria that will require quite a bit of subjective judgment, if indeed they are even the right criteria. Some might argue that different criteria for the registry system are more important, such as stability, openness, fairness, transparency, adaptability, etc.

The good news is that you don’t need to define the terms of that comparison, and neither do I. That’s exactly what the community figures out in practice.

That’s the point of a community-based system – legitimacy isn’t declared, it’s demonstrated. Different approaches get tested, and the community validates them through actual use, participation, and adoption over time. What holds up persists. What doesn’t gets pushed back on or replaced.

So yes, your model should be part of that comparison. If it really delivers more effective coordination and better alignment with the community, then that will be recognized and they will move accordingly.

John, on that point we agree: the real community decides. But the real community is not the room. It is the operators who actually choose what they run, what they trust, and what they are willing to depend on.

That has been the point of this series all along. Legitimacy is not preserved by ritual. It is tested by reality. If enough operators adopt a thinner, safer alternative, then that is the decision. It does not need to be granted permission by the incumbent structure.

And that is also why the question of replacement is not ultimately about your process. It is not about whether the present RIR ritual class approves of the comparison. It is about whether operators decide that a thinner model serves them better.

If that happens, then the present rituals do not defeat the alternative. They simply become irrelevant. Once enough operators move, the old language, the old room, and the old claims of exclusive legitimacy stop looking authoritative and start looking theatrical.

So yes — the real community decides. Precisely. And if the real community decides differently from the room, the room does not get to overrule reality. It will not even be notified of reality. It will simply discover it when it is too late.

Lu Heng –

Agreed – operators ultimately decide what they run. In the current RIR system, the choice they face has been to accept the services, policies, and terms set by those who do participate in RIR policy and governance (a group that you’ve repeatedly characterized as “a few dozen people in the room”) or to actually join that room to bring about the changes they desire.

Interestingly enough, the existing system is extremely well utilized, succesfully serving the global network operator community for decades. Your own characterization of a sparsely populated policy development “room” makes it apparent that any substantial change is readily available to any material portion of the operator community that wishes to engage to that end – and indeed, that has resulted in quite a bit of evolution (such as the ability to transfer rights to IP address blocks between parties) since the “initial mandate.”

In this way, the real operator community always has had the ability to decide, so once you’ve announced your future scheme please don’t be surprised if (just as has occurred with RIR policy & governance) the real operator community ends up making choices that don’t align with your preferences…

John, that is exactly the point. If operators ultimately decide what they run, then the room is not sovereign. The room is, at most, one incumbent mechanism through which coordination has historically been organized. Its continued utilization proves installed base and path dependence. It does not, by itself, prove permanent legitimacy.

The fact that many operators did not join the room does not show that substantial change was always easy. It often shows the opposite: high participation cost, fragmented incentives, and the absence of a credible transition path. That is why the present system could accumulate dependence without ever truly testing whether operators endorsed the full scope of what it later became.

And yes, once a real alternative exists, the real operator community will decide. That has been my point all along. Not my preferences. Not your preferences. Not the preferences of a narrow ritual class. Actual operator adoption. If operators conclude that a thinner model serves them better, they will move. If they do not, they will not. That is reality.

Every entrenched structure in history has told itself the same story: this is just another critic, another dissenter, another challenger, nothing to worry about. Right up until it is no longer a criticism but a shift in reality. Incumbent orders are rarely displaced because they lose an argument inside their own room. They are displaced when enough people outside that room stop treating them as indispensable.

So no, I would not be surprised if the real operator community makes its own choice. On the contrary, that is the entire argument. The only difference is that, once that happens, the old room will not get to declare itself the community and ratify reality after the fact. It will simply discover that reality has moved on, and that its rituals no longer decide very much — usually only when it is already too late.

Lu Heng –

We agree that operators ultimately decide what they run. That’s never really been in dispute.

Where we differ is in what that implies. Operator adoption doesn’t eliminate coordination – it expresses it. Even in your model, operators would be adopting a shared set of rules, thresholds, and behaviors that still need to be defined, understood, and maintained – even if that is realized in software.

So this isn’t “room versus reality”; it is simply different mechanisms for achieving coordination.

The RIR system is one such mechanism, and it has been used, tested, and evolved in the open over decades. Your model is another proposed mechanism, and it will be evaluated the same way – by how well it actually supports coordination and interoperability in practice, including the need to consider and adopt changes to policies and services over time.

(One hopes it proves to be an effective platform for instantiating operator cooperation, as opposed to a complex exercise in forum shopping…)

John, this is where the smoothing language becomes misleading. Of course operator adoption does not eliminate coordination. No one said it did. The question is not whether coordination exists. The question is what kind of coordination, at what layer, with what power, and under what constraints.

A thin shared protocol with explicit rules, distributed validation, and visible adoption is not the same thing as a private administrative class exercising recognition, record, transfer, and classification power over already-running resources. Both may be called “coordination” only because the word is broad enough to hide the distinction. One is coordination under constraint. The other is coordination that has learned to launder discretion into authority.

So this is not “room versus reality” in the trivial sense you suggest. It is constrained protocol versus mandate-laundered administration. It is one thing for operators to adopt software that maintains a narrow uniqueness layer. It is another for a small ritual class to claim authority over resource destiny and then describe that as just another coordination mechanism. Those are not equivalent mechanisms. They are different kinds of power.

That is why the installed base of the RIR system does not settle the matter. An incumbent can be used, tested, and evolved for decades and still drift beyond the mandate that once justified it. Path dependence is not exculpation. A bookkeeper that starts acting like a sovereign does not remain legitimate because it did a useful job years earlier.

And that last parenthetical gives the game away. When an incumbent starts describing every attempt to reduce its discretionary power as “forum shopping,” it is no longer defending coordination. It is defending position. If operators adopt a thinner model because it reduces mandate drift, lowers administrative risk, and keeps the uniqueness layer narrow, that is not shopping for a nicer forum. That is choosing a better architecture.

A system confident in its legitimacy welcomes comparison and welcomes exit. A system that has begun to confuse itself with the public interest treats exit as disloyalty and comparison as threat.

So yes, both models will face the same ultimate test: operator adoption. But the comparison is not between two neutral coordination mechanisms floating in the abstract. It is between a model that keeps enlarging the role of the room and a model that tries to shrink the room back beneath the network. If the real operator community prefers the latter, that is not an escape from legitimacy. That is legitimacy.

I raise the potential for forum shopping only because it is a valid concern. Despite seeking changes in the RIR system in the past, you have not demonstrated successful engagement of even the modest portion of the operator community necessary to bring them into effect – and since then have attacked the system itself as the reason for the lack of support for your views.

Under such circumstances, it is reasonable to consider whether the proposal of an entirely new governance approach to number registry coordination is motivated by a desire for improved coordination mechanisms or an attempt to restart the same debates in a new forum. I frankly could not care – so long as the operator community can achieve its necessary registry coordination – but it does speak to the level of scrutiny that your new framework is likely to undergo from the operator community.

John, that sentence assumes the point under dispute. Failure to persuade even a modest portion of the existing RIR ritual structure is not the same thing as failure to engage the operator community itself. The room is not the operator community. A narrow, self-selecting procedural class is not the same thing as the global population of operators who actually run networks, bear continuity risk, and live with the consequences of registry-side discretion.

The chronology matters, but so does the snapshot. In 2019, I was inside the system. I believed what many believed: that the registry layer was community-driven, bottom-up, and constrained by consensus rather than discretion. I began from participation, not opposition. That is not the posture of someone looking for an easier forum. It is the posture of someone giving the existing forum a serious chance.

If one strips out the process noise and compares the 2019 snapshot to the 2026 snapshot, the direction is obvious. Influence is not smaller. Resources are not smaller. Reach is not smaller. The support did not fade. It widened. What followed over those seven years was not a lack of engagement, but a structural demonstration of the system’s insulation. Inability to convert enough of the existing ritual class into internal reform is not proof that operators were never engaged. It may simply be proof that the room and the real community are no longer the same thing.

That is why day-to-day procedural outcomes are not the right measure. One does not judge a long-term market trend from a few sessions of price movement, and one should not judge a structural legitimacy crisis from a few motions, meetings, or temporary optics inside the incumbent room. Snapshot matters. Long horizon matters. Process noise does not.

Operators use my services. ISPs supported my candidacy. Support did not disappear after years of attack. It grew. That does not prove that any one person uniquely represents operators. It proves something narrower and more important: the present RIR process does not uniquely represent them either.

So the issue is no longer whether a modest portion of the existing room was captured. The issue is whether the room should continue to be treated as the unique and authoritative expression of operator will. Those are not the same question. Confusing them is precisely how mandate laundering works.

And yes, scrutiny of any alternative is appropriate. It should be scrutinized. I welcome that. If a thinner model cannot survive serious scrutiny, it does not deserve adoption. But scrutiny cuts both ways. The incumbent should not be insulated merely because it is old.

This is also not ultimately about personal preference or marginal personal gain. Beyond a certain point, another increment of money changes very little in daily life. The issue is that the world needs a thinner, safer, and less discretionary coordination layer. History happened to place me in a position where that problem became impossible to ignore. The job, then, is simply to do the work properly.

Lu Heng –

It goes without saying that “the room” (those participating in RIR processes) is not identical to the entire operator community.

But today, it remains the mechanism through which operator input is translated into coordinated, globally applied outcomes. It is open, accessible, and produces results that can be revisited and changed over time.

We’ve seen many changes over the years in both policy and governance, so it is clear that the operator community can indeed bring about change when there is sufficient support. By your own characterization, it is “a few dozen people in the room,” which means only modest additional engagement by the “real operator community” is needed when there is real interest in a change.

That’s why the conclusion is fairly straightforward: the lack of success indicates that there was insufficient support for your proposals within the operator community (whether on their merits or due to an inability to communicate their importance to that community.) 

To be clear, I don’t ascribe the desire for an alternative model for registry governance to some personal preference or margin material gain, but note it may simply be the natural consequence of past inability to achieve outcomes in the present system.

John, that conclusion does not follow. Failure to produce a result inside an incumbent ritual structure is not neutral evidence of insufficient support outside it. It may simply be evidence that the structure is insulated, that the threshold for translating outside support into inside consequence is high, and that the existing procedural class retains disproportionate control over scope, agenda, timing, and legitimacy language.

That is the part your formulation skips over. This is not a linear model in which one simply “brings more operators into the room” and results automatically follow. Bringing people into a narrow procedural structure is not the same thing as giving them effective force inside it, especially when that structure speaks an insider language, polices what counts as in scope, and has spent years personalizing, discrediting, and containing the challenge rather than neutrally measuring it. Numbers alone do not decide much if the mechanism translating numbers into outcomes is already tilted.

That is also why the seven-year record matters. The right comparison is not between one proposal and one vote. The right comparison is between the 2019 snapshot and the 2026 snapshot. In 2019, engagement was inside the system and reform-from-within was still treated as plausible. By 2026, influence, support, reach, resources, and institutional centrality are all visibly greater, not smaller. That is not what “inability to engage” looks like. It looks much more like a system that can absorb pressure procedurally while still failing to absorb it politically.

But that is still only secondary. The deeper point is that this discussion is drifting away from the subject of the article. Whether one person did or did not gather sufficient support inside the incumbent process is not the point. The article is not about me. It is about what happens when a system that borrowed legitimacy from running code begins using process, community language, and administrative power against running code itself.

That is why repeated focus on my past success or lack of success inside the present structure does not really answer the argument. Even if there had been no support for me at all, the legitimacy question would remain unchanged. A model does not become legitimate merely because it can block a critic inside its own ritual structure. And a model does not cease to be in running-code betrayal merely because the dissenter failed to capture enough of the room.

More importantly, this also smuggles in a second conceptual substitution. The question of whether the technical community should continue to support a structure that has exhausted its legitimacy is not the same question as my personal popularity. The question of whether operators should support a replacement is not the same question as whether they support me as an individual. Those are entirely different things. A structurally illegitimate model does not become legitimate because its critic is unpopular, and a structurally better replacement does not become invalid because support for it is mediated, partial, gradual, or not reducible to one person’s standing.

So the real issue is not whether enough of the existing room was captured. The real issue is whether the room should continue to be treated as the sole legitimate converter of operator sentiment into institutional consequence. Those are different questions. Your argument assumes they are the same. They are not.

In that sense, personalizing the discussion is itself revealing. Once the institution cannot comfortably defend the relationship between its present power and its original mandate, the discussion shifts from the model to the dissenter. The story becomes my support, my failure, my preferences, rather than the more important question: what exactly is being done to running code, and by what right?

That is why blocked outcomes inside the room are not proof that the wider community rejected the critique. They may simply be further evidence of the betrayal being described. Running-code betrayal is not a verdict on one person’s popularity. It is a description of what happens when a coordination layer starts treating live infrastructure as something to govern rather than something to serve.

The Internet number registry system is not an abstract structure that has “borrowed” legitimacy from running code – it is a set of five operational registries of Internet number resources, each administered by a Regional Internet Registry on behalf of its community. Those communities established their RIRs, participate in their policy development and governance, and utilize their registry services.

You frame this as a question of legitimacy, but legitimacy here is not abstract or self-declared. It arises from the community that established the system, continues to participate in it, governs it through its institutions, and relies on it operationally. There is no ambiguity regarding the legitimacy of each RIR’s administration of its respective registry, as these member-based organizations as the legal stewards who maintain those registries on behalf of their communities. If you are asserting a legal lack of legitimacy in that role, then that claim needs to be made explicitly and thoroughly supported.

I suspect what you actually mean by your “legitimacy” concern is that the RIRs are not responsive to the expectations of some participants, or perhaps that the RIRs are not upholding commitments made at founding. If the former, then I’m afraid that dissatisfaction with process dynamics or outcomes is not a valid basis for a claim of illegitimacy.

If indeed your argument is that an RIR is not upholding commitments made at its founding and thus violating the basis on which it was formed, then be clear and state the commitments to which you refer and how they’re not being upheld.

The operator community in each region organized and founded its respective RIR organization and supports it through ongoing participation, reliance, and governance – not from alignment with any hypothesized framing of “running code.” Recognize also that it is the RIR registry system that supports the actual operators and their networks, and overwhelmingly does so with nominal impact to the operational network. (Nominal does not mean zero impact – there are indeed circumstances where operator resources are reclaimed as the result of non-payment or fraud, and such is no different than what occurs with registries in other domains.)

Operators remain entirely free to configure their networks however they wish, but they overwhelmingly choose to participate because coordinated address management is what allows the Internet to function as a single, interoperable network. Hence, when you frame the issue as whether the system is acting “against” running code, if you mean they actual operational Internet then it is a fairly specious assertion – the Internet number registry operated by the RIRs does not override operational reality and running code – it instantiates the coordination of uniqueness that network operators rely upon globally.

John, this is helpful because it finally separates two different questions. No one is disputing that the RIRs are legally incorporated organizations that maintain registry databases and provide registry services. That is one kind of status. The article is about another question: technical legitimacy. A private coordination layer can be perfectly real in law and still drift beyond the role that made it tolerable to the technical community in the first place.

That is what “borrowed legitimacy from running code” means. It is not mystical. It is functional. The registry layer was tolerated because it served a narrow purpose: preserve uniqueness, maintain a common record, support continuity, and remain subordinate to the running network. A bookkeeper can lawfully keep a ledger without becoming sovereign over the world described in that ledger. A land registry can be valid without acquiring the right to determine all property destiny. Legal stewardship of a registry is not the same thing as lawful authority over already-running infrastructure.

Once that distinction is clear, the relevant commitments are clear as well. The model was tolerable so long as it remained thin, bounded in discretion, bottom-up in restraint, and limited to coordination rather than domination. That is exactly what comes under strain when a registry layer turns absence of permission into broad prohibition, uses recognition and record power against live resources on contestable grounds, narrows exit, or begins speaking as though regional process can itself authorize broader control over resource destiny. That is not merely policy development. It is mandate drift.

And this is where the absurdity becomes impossible to ignore. A handful of people in a room cannot decide the continuity conditions of a continent’s network resources and then claim that the mere openness of the room converts that power into legitimacy. If a few dozen participants can materially affect the connectivity conditions of millions of users, and then answer criticism with “the meeting was open, participation was available, those who did not join must live with the result,” that is not modest coordination. That is a private procedural class treating openness as a license for authority it never actually received.

Open meetings do not create sovereignty. Transparent minutes do not create a people. A fee-paying membership class does not become a public constituency merely because the word “community” is repeated often enough. That is precisely the mechanism described elsewhere as mandate laundering: a narrow coordinating role wrapped in ritual, regional rhetoric, and institutional myth until private power begins to look like public authority. A room becomes a supposed community. A mailing list becomes a supposed polity. A registry board begins to sound like a government.

If all that remained was thin bookkeeping, there would be much less to argue about. But once boards and staff begin to initiate, direct, authorize, assist, or normalize actions that seriously endanger live number resources, continuity, routing, or communications functionality, the category begins to change. At that point, this is no longer adequately described as mere policy disagreement. Communities do not deregister addresses. Communities do not sign letters. Legal entities do, through natural persons occupying identifiable roles. Titles do not dissolve exposure. They locate it.

That is also why the “nominal impact” line does not answer the problem. Most institutions look benign in normal operation. The real test comes at the edge cases that reveal their character. The question is not whether the RIR system usually sits quietly in the background. The question is what kind of power it claims when it does act, and whether that power remains consistent with the narrow function that justified it. A structure can have modest day-to-day impact and still become illegitimate if, at the critical moment, it uses administrative leverage against running code rather than in service of it.

Nor does operator dependence settle the matter. Yes, operators rely on coordinated uniqueness. That is precisely why restraint matters. Dependence on a common record does not prove that the keeper of that record may enlarge its mandate without limit. It proves the opposite: because the function is so central, the coordinating layer must remain especially thin, auditable, and constrained.

So the disagreement is not about whether the RIRs exist as legal entities, whether operators rely on them, or whether they maintain registry databases. The disagreement is whether those facts are enough to establish lawful authority for what they now claim to do. They are not. A process can be real, open, and longstanding and still act beyond mandate. A registry can be incorporated and still exceed its lawful authority, and in doing so lose the technical legitimacy the community once tolerated.

That is why the right formulation is not the crude one. It is not necessary to say that every contested registry act is already criminal. It is enough to say something more precise: the modern RIR problem is no longer confined to ordinary policy disagreement. A legal shell does not immunize conduct, and ritual language cannot supply lawful authority where mandate has been exceeded.（https://circleid.com/posts/mandate-laundering-from-rir-fantasy-to-transition-architecture）

That remains the point of the article. The issue is not whether the RIRs exist. The issue is whether a structure once tolerated as a narrow coordination layer has begun to use community language, process language, and administrative power in ways that are no longer subordinate to running code. That is running-code betrayal.

You’ve now framed the issue as a departure from a “tolerated” thin coordination role, defined by being bounded, subordinate, and limited to record-keeping. The difficulty is that these properties you propose are not founding commitments of the RIR system – they are retrospective assertions and subjective by their very nature. The RIR system emerged over nearly a decade and involved the work of hundreds of people; each would have their own perspective and therefore belief set on “the purpose of the RIR system.”

For example, you assert a constraint that RIRs had a mandate to be “bounded,” and yet this was never the case…  RIRs were not formed as narrowly constrained or purely passive entities; rather the role of serving as an RIR was given to existing organizations that were already in place, with established purposes and operations that made them suitable homes for such functions. (reference RFC 1366 [1992] which explicitly describes the delegation of the registration function to established regional organizations that are empowered to allocate resources, coordinate with the IANA and provide stable and reliable service. There is no notion that these existing organizations must maintain a narrowly bounded scope as result of serving as an RIR, and the awarding of a role to an existing organization could not bound it thusly unless quite explicit.

If one looks to subsequent formalization, the first set of criteria for an RIR, ICP-2 (“Criteria for Establishment of New Regional Internet Registries”) developed in 2001 by the operator community and adopted by the initial RIRs and ICANN, note that it explicitly defines RIRs as organizations with an active policy development and governance role, not a minimal or subordinate bookkeeping function. It goes further and makes clear that RIRs are not limited solely to registration activities, but may provide additional services including coordination and operational support.

You are, of course, entitled to your view of what the mandate of the RIR system ought to have been. But any such view is necessarily retrospective and interpretive. The documentary record of how the system was actually formed and defined provides the clearest expression of the RIR role, and neither aligns with your particular characterization of the mandate of the RIR system nor does it support assertions of “mandate drift.” 

The RIR system has had tens of thousands of network operators involved for more than three decades in the establishment and governance of each RIR’s mission and activities, and the documentary record of its mandate includes both greater scope and clear self-governance responsilibies that allows refinement of those over time.  I am afraid that takes precedence over your condemnation of the entire system based on any one particular assertion on how it should be scoped.

I want to be clear that my comments refuting any valid claim of “mandate laundering” should not be taken as opposition to exploring alternative mechanisms for realizing the purpose of the Internet number registry system. In fact (and I have said this on many occasions), it is both appropriate and healthy to examine all possible approaches to achieving that mission.
 
The priority must always be the mission itself – not the particular institutions or instantiations that realize it at any given point in time. If there are approaches that can better achieve that mission and are more broadly supported by the community, then they should be considered on their merits & regardless of the technical or organizational form they take.

(It is only undertaking such exploration on the faulty preconception that the present RIR system lacks legitimacy to which I must rise and respond…)

John, these two comments actually narrow the dispute in a useful way. If, as you now say, the mission matters more than any particular institution, then the real question is no longer whether the RIRs exist, or whether documentary records mention coordination, policy development, and operational support. The real question is whether the present form of the RIR system still fits the mission that justified it. On that point, citing RFC 1366 and ICP-2 does not do the work you want them to do.

RFC 1366 shows delegation of a registration function to established regional organizations. It does not show transfer of open-ended authority over resource destiny merely because those organizations already had broader corporate purposes. That is the key distinction. An existing organization can host a narrow delegated function without that function inheriting the full scope of whatever else the host organization might do. The same is true of ICP-2. Yes, it contemplates policy development, governance, coordination, and some additional services. But none of that proves a right to drift from coordination into broad discretionary control over already-running resources. “Active role” is not the same thing as unbounded role. “Operational support” is not the same thing as quasi-sovereign authority. The documentary record shows a registry and coordination function. It does not establish that a room may convert that function into broader power simply because the room has procedures.

That is why “retrospective and interpretive” is not an answer here. Of course interpretation is involved. It is involved on both sides. You are also interpreting the documentary record — only in a way that treats any mention of coordination, governance, or support as if it erased the need for outer limits. My point is narrower: the outer limit comes from the nature of the problem itself. Global uniqueness, common record, continuity, and auditability justify a thin coordinating layer. They do not justify turning a private registry structure into a continuing authority over geography, exit, and live infrastructure whenever process language can be assembled around the act.

And that is where your second comment is even more revealing. If the mission matters more than the institution, then the central question is whether the incumbent institution still remains faithful to that mission. That is precisely the question raised by “running-code betrayal.” It is not a faulty preconception. It is the issue. Once a structure that was tolerated as a coordination layer begins using process, community language, and administrative leverage in ways that are no longer subordinate to running code, then it is not enough to say the institution has history, procedures, and operator reliance. The mission-first principle cuts both ways. It justifies alternatives, yes — but it also requires scrutiny of whether the incumbent has drifted beyond the bounds that made it tolerable in the first place.

So the disagreement is not whether alternatives may be explored. On that point there is no real disagreement. The disagreement is whether the present RIR form should continue to enjoy a presumption of legitimacy while it is claiming powers far thicker than the function that justified it. That is where the documentary record, properly read, does not rescue the present model. It only confirms that coordination was delegated. It does not prove that authority was made limitless.

Lu Heng -

If I understand you correctly, you assert that there is an outer limit of authority on the RIRs that comes from the nature of the problem itself, i.e., that the coordination task being performed for uniqueness justifies certain necessary technical recordkeeping tasks, beyond which the RIRs are not engaged in legitimate registry management. That’s certainly true on a purely technical basis, i.e., the IPv4/IPv6/ASN number resources administered by the RIRs come from the general-purpose ranges defined by the IETF and have very specific technical formats and requirements. All of those details are laid out in RFCs, and the RIRs (and the IANA function performed by PTI/ICANN) are careful to comply with all such standards.

However, from your postings, it is clear that you believe in additional functional constraints on what constitutes “legitimate” Internet number registry management; that some additional functions beyond the purely technical constraints are proper and others are not. This appears to be the real source of confusion – and it’s not over a small point, it stems from a fundamental misunderstanding.

You acknowledged that the RIR Internet number registry coordination role in ICP-2 “contemplates policy development, governance, coordination, and some additional services,” which means you understand that the task of “legitimate” registry management can change over time. Such changes are going to involve policy development discussions and registry governance discussions by the respective RIR community, and it is equally obvious that the very act of registry management (when changes are occurring) can and will on occasion have various effects on already-issued number resources.

This leaves one wondering where these fixed “outer bounds” that you perceive on proper RIR registry management are. You make a distinction that might help us in perceiving them: “But none of that proves a right to drift from coordination into broad discretionary control over already-running resources.” Hmm… That seems rather reasonable; one would not expect an RIR performing registry management to engage in “broad discretionary control,” but rather to act according to community-developed and adopted policy.

It appears that we’re left with a conundrum: what should occur when an RIR engages in “broad discretionary control” over number resources beyond the remit of community policy? (Surely if the RIR is acting within the remit of community-developed policy, then that’s appropriate – for example, the RIR communities that have developed transfer policies since their inception allow their respective RIRs to process transfers, and this wouldn’t be possible if RIRs were under a “founding mandate” established decades earlier…)

There is a pretty clear answer as to what should be done when an RIR engages in broad discretionary control over number resources (outside adopted policy) – again, ICP-2 provides illumination, as it notes that each RIR should be member-governed organizations. Concerns about acts being outside of mission or policy are absolutely appropriate to raise within the RIR governance mechanisms, and I can attest that this does occur and can be quite effective. No matter how specific the founding documents are, there will always be determinations to be made on what constitutes proper registry management – whether with respect to policy implementation, services to be provided, etc. – there is no single oracle or czar who can make such determinations, and RIR governance provides the ICP-2-specified accountability to the community.

You appear to accept that community-developed policy and member-based governance provide the appropriate constraint when they prevent what you describe as “broad discretionary control.” Yet when those same mechanisms produce outcomes you disagree with, you assert that they are no longer sufficient, and instead invoke an external standard derived from your interpretation of “running code.” Alas, that leaves the system without any consistent or operational boundary – as the point at which governance ceases to be legitimate is no longer determined by the community, but by undefined and arbitrarily set criteria.

John, the confusion is not on my side. You are collapsing two different questions into one. One question is how a coordination function is governed within its proper scope. The other is who gets to determine the outer limit of that scope. My argument is that policy and governance can operate within a legitimate function, but they cannot, by themselves, create the legitimacy of that function or authorize its indefinite expansion.

That is why “running code” is not an arbitrary external theology. It is a reminder of what made this layer tolerable in the first place. The number registry exists to preserve uniqueness, maintain a common record, support continuity, and remain subordinate to the live network. Those are not subjective aesthetic preferences. They are functional constraints arising from the nature of the problem itself.

So yes, policy can evolve. Procedures can evolve. Services can evolve. But evolution *within* a function is not the same thing as expansion *of* the function. A land registry may refine how it records title. That does not make it a court of general jurisdiction over all property disputes. A bookkeeper may improve the ledger. That does not make the bookkeeper sovereign over the world described in the ledger.

That is the boundary you keep trying to dissolve. Once you say that open process and community-developed policy can define the outer limit of the registry’s own authority, there is no limiting principle left except the self-restraint of those already inside the room. At that point, “community governance” stops being a constraint on power and becomes the mechanism by which power enlarges itself.

Nor is the boundary undefined. It is actually quite concrete. The thin uniqueness layer is for common record, provenance, ordering, validity, continuity, and the minimum conflict rules necessary for interoperability. What it is not for is becoming the standing authority over ownership, political geography, exit, sanctions, general commercial disputes, or every consequential question touching already-issued resources. Those are not registry questions merely because they happen to involve registry objects.

That is why there is no inconsistency in saying community-developed policy is legitimate when it constrains broad discretion within a narrow coordinating role, but not when it is used to justify enlargement of that role itself. Policy can regulate a mandate. It cannot conjure the mandate’s outer boundary out of itself. If it could, any sufficiently persistent committee could eventually authorize itself into a larger ontology.

So the issue is not whether there is “a single oracle or czar.” None is needed. The issue is whether a private coordination process may treat itself as the ultimate author of its own scope. My answer is no. Once it claims that power, the problem is no longer ordinary governance. It is mandate laundering. And once that laundering is used to place process above the running network it was supposed to serve, that is running-code betrayal.

Lu Heng -

You’ve now made the distinction clear: policy and governance may operate within a function, but cannot define the outer limit of that function –  I got it.

The difficulty is that a boundary without a mechanism for determining and applying it is not a meaningful operational constraint.

You describe the boundary as arising from the nature of coordination itself and list categories that fall outside it. But who determines when a particular action crosses that line, and on what basis? In practice, that determination has to be made somewhere. If it is not made through community-developed policy and governance, then it is being made through individual interpretation of what “running code” permits.

That is a rather serious gap in your model. The registry functions you describe – allocation, maintaining an authoritative record, transfer processing, and enforcement of conditions – inherently affect how resources are held and used. Those are not optional additions; they are necessary to coordinate uniqueness in a shared system. The scope of those functions has evolved over time precisely because the system they serve has evolved.

So the question is not whether there should be limits. There clearly are. The question is how those limits are determined and applied in practice. Today, that is done through community policy and governance – a clearly defined mechanism that accountable to the community and specified in ICP-2.

Your formulation replaces that with some hypotheticated external boundary that has no referencable definition, no defined process, offers no path for accountability to the community and no way to resolve disagreement about its definition other than by assertion. 

John, no one said a boundary enforces itself. Of course mechanisms are needed. The mistake is to assume that because a mechanism is needed, the existing registry process may therefore define the outer limit of its own authority. Those are different questions. A process may apply a boundary. It does not follow that the same process may author that boundary for itself.

That is the circularity that remains unresolved. You keep moving from “somebody must decide” to “therefore community policy and governance define the scope of legitimate registry management.” But the second does not follow from the first. Courts exist, but that does not mean a land registry writes property law for itself. Contract disputes exist, but that does not mean the bookkeeper becomes the court of general jurisdiction. The existence of adjudication does not dissolve the distinction between a narrow function and a broader power.

Nor is the alternative “individual interpretation of what running code permits.” That is a caricature. The point is that the outer boundary comes from the nature of the function and should be operationalized through multiple constrained layers, not laundered upward into one self-defining ritual class. The thin uniqueness layer can be constrained by objective record rules, protocol, public audit, and explicit software behavior. Ownership and contract disputes go to courts. Sanctions and coercion go to states. Fraud goes to ordinary law, except for the narrowest objective proofs necessary to preserve the integrity of the common record. The answer is not “no mechanism.” The answer is “the registry layer is not entitled to become the universal mechanism.”

That is why allocation, authoritative record, transfer processing, and enforcement of clearly adopted conditions do not prove your point. They show that the registry has a real function. They do not show that the registry may define the outer limit of that function for itself. A function can evolve without changing kind. A bookkeeper may modernize the ledger without becoming sovereign over everything described in it.

And that is the core issue. The problem is not whether there should be limits. We agree that there should. The problem is whether the same process that benefits from institutional expansion should also be treated as the final authority on where its own expansion stops. If the answer is yes, then there is no meaningful outer limit at all—only self-restraint by those already inside the room. That is not a constitutional boundary. It is a procedural hope.

So this is still the same point. Governance can operate within a legitimate function. It cannot, by itself, legitimate indefinite enlargement of that function. Once the process claims the right to define its own outer limit, the issue is no longer mere coordination. It is self-authorizing power. That is exactly the drift the article is describing.

Lu Heng -

You note that a registry should not become a court or a sovereign authority, and that different layers handle different aspects of the system – courts for disputes, states for sanctions, and the registry for maintaining the common record and applying objective rules. That’s a reasonable description, and I fully agree.

But that is also how the current system operates – I have not asserted that the RIRs have the final say in all matters, rather that the RIRs perform registry management and administration under community-developed policy.

The RIRs are also member-governed organizations operating under incorporation law. They enter into agreements with their customers that are enforceable under applicable law. Questions about ownership, contract disputes, and fraud ultimately fall to courts. Sanctions and governmental policy come from states and are respected as such.

In other words, the “multiple constrained layers” you describe are not an alternative to the current model – they are the current model. However, none of those parties determines the scope of RIR activities so long as they are in conformance with law – that is left to the community, through the RIR governance mechanisms, to decide. It is quite straightforward and accountable, and there is no circularity – the RIR system operates within clear legal limits, just like all other organizations.

John, to follow my last comment and directly answer your question: no single actor defines the outer limit. The boundary is not politically authored by one room. It is derived as the intersection of multiple constraint layers.

First, protocol and interoperability define what this layer is for: uniqueness, common record, continuity, and the minimum validation necessary for shared operation.

Second, ordinary law and public law define what this layer is not for: ownership, contracts, sanctions, general commercial disputes, and broad discretionary control do not become registry questions merely because registry objects are involved.

Third, external review and actual adoption determine whether that boundary is sustained in practice. The same room does not get to act and then certify itself innocent. Courts and independent audit provide ex post review. But unlike today’s model, the future thin layer would also give participants a real choice over whether to accept a proposed rule set. Actual node and operator adoption determine which rules become real. In that sense, the effective boundary is not set by ritual inside a room, but by whether independent participants are willing to run, validate, and adopt the thin rules in the live system. That is much closer to how the network already works at lower layers: participants decide who to connect to, what to run, and what to route.

So the answer is not “here is a new sovereign who defines the line.” The line is derived from the problem itself and constrained from multiple sides. What properly belongs to the registry layer is what survives that intersection. What does not survive it belongs somewhere else.

That is exactly why the registry room cannot be both the actor and the final judge of its own outer limit. A mechanism may administer within a boundary. It may not author the boundary and then treat its own procedures as proof that it stayed within it.

That is also why this remains a technical question before it becomes a political one: function is derived, not voted into being. Overreach is tested, not self-certified. And that is precisely why a thinner architecture is more attractive here. It is not only more restrained. It is more mathematically and technically elegant.

As I noted, the RIRs are not “the actor and the final judge of its own outer limit”  Please read what I wrote before replying -

The RIRs are member-governed organizations operating under incorporation law. They enter into agreements with their customers that are enforceable under applicable law. Questions about ownership, contract disputes, and fraud ultimately fall to courts. Sanctions and governmental policy come from states and are respected as such.
In other words, the “multiple constrained layers” you describe are not an alternative to the current model – they are the current model.

However, none of those parties determines the scope of RIR activities so long as they are in conformance with law – that is left to the community, through the RIR governance mechanisms, to decide. It is quite straightforward and accountable, and there is no circularity – the RIR system operates within clear legal limits, just like all other organizations.

Are you suggesting that for some reason the RIRs should not be able operate just as any other membership association?  If that’s the case, then state it clear and explain the reason why… 

It would nice if you would actually explain the basis for hypthosized “Boundary”, as referencing legal structures and states as justification for your “Boundary”  is specious given that the RIRs comply with those bounds.

John, that is exactly where the disagreement now becomes clear. The fact that courts, contract law, and states exist in the background does not mean the current RIR model already embodies the layered constraint I described. It only means there are external brakes available when things go badly enough. That is not the same thing as saying the registry layer is internally bounded by function. The layered model is stricter: the thin uniqueness layer is bounded before the question reaches general legality. Its role is limited by function — uniqueness, common record, continuity, and the minimum validation necessary for interoperability. It is not a general administrative domain that may expand until a court eventually tells it to stop. 

Your formulation still leaves the crucial step untouched. You say ownership, sanctions, fraud, and contract disputes ultimately belong to courts or states, but that the scope of RIR activities, so long as lawful, is left to the community to decide through RIR governance. That is precisely the circularity. If the room gets to define the scope of its own activities up to the outer edge of whatever the law has not yet prohibited, then the room is still authoring its own mandate. Courts become an emergency brake, not a constitutional boundary. That is not a thin coordination layer staying in its lane. It is mandate drift with external brakes. 

And this is exactly why “within the law” is already much harder to say than your reply suggests. The public record is not of a calm member-governed corporation operating with ordinary legal regularity. AFRINIC itself later acknowledged that it had been operating without a quorate board since 2022 and that between September 2023 and October 2024 it was under the management of expired directors and registered members. The Court of Civil Appeal then held in October 2024 that Benjamin Eshun’s directorship had expired, that he lacked the status of a director when the appeal was lodged, and the appeal was set aside. That is not a reassuring example of “all of this remains clearly within law.” It is evidence that even the ordinary corporate and procedural footing of the institution has been under strain. 

That is why the existence of multiple legal layers around the registry does not prove that the registry’s own scope is already properly constrained. It only proves that the registry does not operate in a vacuum. The real question remains whether the registry layer is bounded by the nature of the coordination problem itself, or whether it is still treating “community process” as authority to enlarge its own remit until someone outside the room forces a correction. If the latter, then the model is not meaningfully bounded by function at all. It is bounded only by eventual litigation and public-law intervention. 

That is also why the “nominal impact” line does not answer the problem. Most institutions look benign in normal operation. The real test comes at the edge cases that reveal their character. The question is not whether the RIR system usually sits quietly in the background. The question is what kind of power it claims when it does act, and whether that power remains consistent with the narrow function that justified it. A structure can have modest day-to-day impact and still become illegitimate if, at the critical moment, it uses administrative leverage against running code rather than in service of it. And once a private legal shell begins wrapping that leverage in ritual language until it looks like regional public authority, that is no longer ordinary governance. That is the mandate-laundering problem. 

So no, the issue is not whether RIRs exist as corporations, whether operators rely on them, or whether courts remain available in the background. The issue is whether those facts are enough to establish lawful authority for what the institutions now claim to do. They are not. A legal shell does not immunize conduct. Titles do not dissolve exposure. And the more a thin coordination role is inflated into a quasi-sovereign one, the weaker the “we are just another corporation subject to law” defense becomes. That is exactly why I described the present structure as mandate laundering: private power goes in, quasi-public authority comes out. 

That remains the point of the article. The issue is not whether the RIRs are subject to law in the abstract. The issue is whether they are still subject to the narrower functional discipline that made them tolerable to the technical community in the first place. That is running-code betrayal. If you want the fuller argument, it is already set out in Mandate Laundering: From RIR Fantasy to Transition Architecture.  （https://circleid.com/posts/mandate-laundering-from-rir-fantasy-to-transition-architecture）

Lu Heng -

All organizations operate within the law. RIR membership organizations are no different. If they violate the law, there are courts and other remedies available.

The RIRs’ mandate is given by their governing documents, their contractual relationships, and the legal frameworks under which they operate. Yet you are asserting that RIR membership organizations are not operating in a “functionally legitimate” manner even when acting within those bounds.

So again, I have to ask: what is the basis for your proposed “boundary”? Why should such a constraint apply uniquely to RIRs, but not to other membership organizations operating lawfully within their defined scope?

Despite your repeated characterization, the RIRs do not assert “quasi-sovereignty.” They assert the ability to manage their respective portions of the registry in accordance with law, community-developed policy, and their governing structures – no more and no less.

John, the distinction you are drawing is precisely the issue. No one disputes that RIRs are incorporated entities, enter into contracts, and operate within legal frameworks. That is baseline reality for any organization. But that answers only the question of existence. It does not answer the question of scope.

You say courts, contracts, and states sit outside, and that within those bounds the “community” defines the scope of RIR activity. That is exactly the circularity. If the same process both exercises power and defines the scope of that power — up to the edge of what has not yet been declared unlawful — then the process is still authoring its own mandate. External law becomes a backstop, not a boundary.

That is not the layered model I described. The layered model constrains the registry before it reaches general legality. The boundary comes from function: uniqueness, common record, continuity, and minimal interoperability rules. That defines what the registry is for. Everything else — ownership, contracts, sanctions, and broad discretionary control — is outside that layer, regardless of whether a membership process would like to expand into it.

This is also why treating RIRs as “just another membership association” is not sufficient. Most membership associations do not sit on a global coordination layer with network-wide externalities and dependency. A chess club can expand its rules without affecting the world. A registry layer cannot. The combination of centrality and path dependence is exactly why the mandate must remain narrow. The more critical the function, the thinner the acceptable authority.

And this is where the running-code issue returns with full force. Once a registry layer is willing to endanger large live infrastructure, and once the broader institutional system is willing to stand behind that decision even where the policy basis is thin, contestable, or absent, the problem is no longer well described as ordinary governance disagreement. It becomes evidence of a structure that has drifted toward something far more serious. For a function this central, “we are incorporated” and “we have a process” are nowhere near enough. If bare legality is the defense, the bar is already too low. And even that defense is unstable when the public record shows governance breakdown, contested authority, and actions taken under highly questionable institutional footing.

So the disagreement is not whether RIRs can lawfully exist or operate. They can. The disagreement is whether legal compliance plus internal process is enough to justify the scope of authority now being exercised. It is not. A legal shell does not immunize conduct, and ritual language cannot supply lawful authority where mandate has been exceeded.

The boundary is not “hypothesized.” It is derived from the coordination problem itself and constrained by layers outside the control of the registry process. The registry can operate within that boundary. It cannot define that boundary for itself and then call that self-definition accountability.

That is the point. Once a structure tolerated as a thin coordination layer begins using process, community language, and administrative power in ways no longer subordinate to running code, the issue is no longer merely whether it exists in law. The issue is that it has entered running-code betrayal.

Lu Heng -

You point to your article “Mandate Laundering: From RIR Fantasy to Transition Architecture”, noting that it provides a fuller argument that the RIR system should be constrained by a “narrower functional discipline” – the difficulty is that the article does not actually establish why such a constraint applies to RIRs in the first place, nor why it should apply uniquely to them compared to other member-based organizations. 

Again, RIRs are member-governed organizations operating lawfully within their defined scope, like many other coordination bodies. Do you have any basis for asserting that they are subject to a special, externally derived “functional boundary” that does not apply to other membership organizations?

Or is it that you feel that RIRs ** should be ** constrained by a “functional boundary”?  Your most recently response also seems to waffle, suggesting that there should be more than just legal constraint given the “scope of authority now being exercised. “

As you are aware, there is a major difference between asserting that they presently are subject to such a boundary (and apparently failing, in your view) versus asserting that RIRs should be subject to some form of “functional boundary”. The former requires a clear explanation of origin and basis – something you’ve failed to provide to date. The latter is certainly a much more interesting discussion; it does require understanding the basis for its necessity, but then moves into how such a boundary would be defined, applied, and enforced in practice.

At present, your argument appears to move between these two positions without establishing either. If the claim is that such a boundary already exists, then it needs to be grounded in the actual formation and governing framework of the RIR system. If instead the claim is normative – that such a boundary should exist – then the discussion shifts to what problem it solves and how it should be instantiated.

Absent clarity as why such a constraint applies to RIRs in the first place, the “functional boundary” you reference remains an assertion rather than a reality.

I’ve been rereading your posts in order to get clarity on what you are trying to communicate (as all contributions are important in collaboration but clarity is essential to ensure full consideration).

Your use of terms like “running-code betrayal,” “role inflation,” and “overreach” implies that there is no clear, binding boundary presently constraining the scope of RIR activity – i.e. if such a boundary were clearly defined and enforced, these events would be readily identifiable violations of it, not issues of subjective interpretation.

Perhaps what you’ve been trying to say is that there should have been (back in ICP-2 formation days) a specifically defined functional limit on what constitutes proper RIR registry operations – i.e., limited to the specific tasks necessary for global uniqueness, common records, auditability, and continuity?

Is that a fair characterization of the “bounded mandate” that you believe existed – implicitly – even if not specified in the formative documents?

John, there are two separate issues in your reply that need to be addressed directly.

First, the idea that “law is the boundary” and therefore anything short of illegality is acceptable. That is not a meaningful limit for a coordination layer of this kind. But more importantly, even that baseline is no longer as clear as your reply suggests. The recent AFRINIC record does not reflect a system operating with routine legal clarity. Governance breakdown, questions around authority, and actions taken under contested footing already make it difficult to treat “within the law” as a settled premise.

More fundamentally, even if legal compliance were perfectly intact, it would still be insufficient. A coordination layer that sits at the core of global Internet functionality cannot be justified on the theory that “anything not yet declared unlawful is acceptable.” That is far too low a bar. Law is a floor. It is not a mandate.

Second, on the question of boundary: the absence of an explicit clause in historical documents does not mean the boundary does not exist. The boundary is not created by text. It is derived from function.

The registry layer exists to solve a narrow technical coordination problem: uniqueness, common record, continuity, and minimal interoperability constraints. That definition already implies limits. It does not need an additional sentence stating that it is not a political authority, not a general dispute resolver, and not a discretionary controller of already-running infrastructure. Those are not optional constraints. They are inherent in the nature of the function itself.

In other words, the boundary was never meant to be politically authored. It was meant to be technically implied. The mistake was not that it did not exist. The mistake was allowing a system to evolve as if that implied boundary could be expanded by process alone.

That is why the current argument becomes untenable. It effectively says: if the documents do not explicitly forbid expansion, and if the process is open, then the system may grow its mandate up to whatever point external law eventually constrains it. That is not a coordination model. That is a private structure treating absence of prohibition as authorization.

And that is exactly the problem of letting the referee write the rulebook while officiating the game. A room cannot derive its own outer limit from its own process. A registry cannot claim authority simply because no one wrote down every possible way it should not behave. Those constraints were always assumed, because they were obvious consequences of the function.

So the issue is not that a boundary was “never written.” The issue is that the system is now behaving as if anything not explicitly prohibited must be permitted, even when it moves far beyond the role that justified its existence in the first place. But that logic belongs to private freedom, not to high-consequence authority. The greater the power and the greater the downstream consequence, the more the logic should invert: not “whatever is not forbidden is allowed,” but “whatever is not clearly authorized is out of bounds.” That is how serious public power is supposed to work. And once a coordination layer starts claiming powers with public-like consequences, it cannot ask to be judged by the looser standard of ordinary private discretion.

That is why this is not just policy disagreement. It is running-code betrayal.

Lu Heng -

You’re right that “within the law” is not a sufficient boundary. No one is arguing that legality alone defines legitimacy.

Where we differ is on where the boundary comes from, and how it is maintained in practice.

You describe the boundary as inherent in the function – a narrow coordination role that exists independent of process and cannot be expanded by it. That’s a coherent position. The difficulty is not the premise, but the absence of a mechanism for applying it over time.

Once you move beyond a static description – uniqueness, common record, continuity – the question becomes unavoidable: how are those applied in practice? Who makes that determination, and are they accountable to the community being served?

Calling the boundary “technically implied” does not make it operational. The moment a specific case arises, there still has to be a decision about whether a given action falls inside or outside that boundary.

This is the major failing of any purported “derived from function” boundary.

In the current system, that boundary is not established by implication alone, nor by the organization itself. It is carried out through community-based oversight. Each community elects its governing body and holds it accountable for execution of the mandate.  Failure to faithfully carried out the mandate results in failure to be reelected or recall.  That is how scope is enforced in practice. The registry does not set its own boundary – it operates under continuous accountability to the community it serves.

For that reason, the system does not operate on “anything not forbidden is allowed.” It operates under ongoing community oversight of mandate execution. That is a materially higher bar than the absence of prohibition, and it places the constraint with those who rely on the system and can hold its leadership to account through elections and recall provisions.

Your alternative suggests that authority must be explicitly authorized in advance, but it does not identify who translates that mandate into enforceable terms, who applies those terms in contested cases, or how those terms evolve as conditions change. Without a mechanism for application, no boundary or limit can actually be made operational.

We agree that a coordination system requires a boundary and a means of enforcing it. The remaining question is how that is done. In the RIR system, that boundary is maintained not by implication alone, but through ongoing, community-based oversight of those responsible for carrying out the function.

John,

Your reply actually reinforces the central point of my article.

The moment you argue that a boundary is real only if some institutional mechanism can define and apply it over time, you have already shifted from thin coordination to open-ended governance. That is exactly the betrayal I was describing. Running code no longer disciplines the room. The room disciplines running code.

A narrow coordination layer was only ever tolerated because it was supposed to remain subordinate to operational reality: uniqueness, common record, continuity, and restraint. The moment procedure, policy process, elections, or “community oversight” are invoked to justify discretionary power over already-running infrastructure, the source of technical legitimacy has already been reversed.

This is why elections and recall do not solve the real problem. They may change who occupies the office. They do not define the outer limit of what that office is entitled to do. A mechanism for replacing managers is not the same thing as a constitutional limit on institutional power. Once the mechanism is allowed to define the limit, the limit is gone.

And this is also why the problem is structural, not incidental. As I argued in my earlier piece, registry power now sits at a high-consequence recognition chokepoint while liability remains trivial. That means the incentive structure is wrong from the start. A system like that is not designed to reliably prevent bad actors. It is bad-actor-compatible by design. It makes abuse survivable, mediocrity tolerable, and institutional self-protection rational.

So when you say the answer is “the community,” you are not identifying an external check on the system. You are pointing back into the same loop: the same process class, the same institutional machinery, the same legitimating vocabulary, and the same low-liability structure that created the problem. That is not a cure. It is circularity.

That is why I do not see this as a fixable edge-case or a temporary governance defect. I see it as a legitimacy failure built into the model itself. A system that borrowed authority from running code, then turned consensus, policy process, and administrative discretion against running code, has already spent the only legitimacy it ever had. At that point, “community” is not a safeguard. It is rhetoric used to launder power without responsibility.

[1]: https://circleid.com/posts/running-code-betrayal-how-the-rir-system-turned-consensus-against-the-technical-community “Running-Code Betrayal: How the RIR System Turned Consensus Against the Technical Community”

Lu Heng –

You’ve now moved to a more elusive position.  You’re no longer saying that the mechanisms are flawed – you’re saying any mechanism that defines or applies the boundary is itself illegitimate.

That creates a problem – if no mechanism is allowed to apply the boundary for scope, then how is it applied at all when there’s disagreement?

Describing the boundary in principle is not the issue. The issue is what happens when a specific case arises and reasonable people disagree about whether something is inside or outside that “thin” role. At that point, someone has to decide, and that requires some shared means of making that determination.

If no mechanism is acceptable, then the boundary exists only as interpretation, not as something that can be applied in practice.

That brings us back to the same question that you’ve repeatedly avoided answering:  How is the boundary you describe actually applied when it matters?

John,

You are still missing the point.

My argument is not that no mechanism can apply a boundary. My argument is that the same group cannot write the policy, enforce the policy, and then also decide how far its own mandate extends. That is the real issue here.

A land registry is a simple example. It records title. It does not decide ownership disputes by itself. That is not because the boundary is unclear. It is because the registry is not supposed to be the lawmaker, the executive, and the judge at the same time. That is basic separation of power.

But that is exactly the problem with the RIR system. The same institutional class makes policy, applies policy, and then claims the power to say what its own role is allowed to be. So when a hard case appears, the answer becomes: the same room that benefits from more discretion will also decide whether it is entitled to more discretion. That is not a real boundary. That is self-authorization.

A simple outsider example makes the absurdity obvious. Imagine a company where management writes the staff rules, punishes employees under those rules, and then also decides for itself what management is allowed to do. Nobody would call that accountability. Or imagine a referee who enforces the rules, rewrites the rules during the match, and then declares that he was allowed to do so because he was the referee. That is not governance. That is power talking to itself.

And this is exactly why the RIR system has lost legitimacy. The problem is not just bad outcomes in a few cases. The problem is that the system itself is a failed design. It was effectively a beta system from an earlier Internet era, never designed to carry this level of economic weight or to sit over today’s critical infrastructure. Its institutional code is too old, too compromised, and too structurally corrupt for patching to solve the problem. Rebuilding is the answer.

That is also why the running-code betrayal was not an accident. It was built into the design from day one. Once you create a registry layer with high-consequence power, weak liability, and no real separation between defining scope, applying rules, and judging the limits of its own authority, the result is predictable. So no, the question is not whether a boundary needs a mechanism. The question is whether the mechanism is allowed to become the author of its own boundary. Once that happens, the boundary is gone, and legitimacy goes with it.

Lu Heng –

You’ve said the question is not whether a boundary needs a mechanism, but rather whether the mechanism is allowed to become the author of its own boundary.

That’s clarified, and I understand the concern you’re raising about the separation of roles. I consider the electorate and the organization to be distinct, and I believe that an entity can be governed by its electorate. That form of participatory self-governance works successfully for thousands of corporations, standards organizations, membership organizations, and even governments, so we should probably simply recognize that we disagree on this point.

You don’t dispute that a boundary on the scope of a system requires a mechanism for its application – but when it comes to the Internet number registry system, you’ve ruled out self-governance as not being a legitimate mechanism, asserting instead that it must be provided by some other mechanism.

You’ve suggested that this can be addressed by pushing more of the boundary into architecture, stating earlier: “It needs to maintain a common, auditable substrate on which interoperability depends. That substrate can be carried by a distributed ledger with independent validating nodes, public auditability, transparent rule sets, and visible software behavior.”

But that still doesn’t answer the question I’ve now posed several times, and which you’ve avoided answering each time: how does this mechanism actually get defined?

Those rules still have to be defined. The thresholds for validation and adoption still have to be determined. The system still has to evolve over time, which means there must be a way to introduce changes and determine when they take effect. Even in a distributed or protocol-based system, those functions do not disappear. They are decisions about what the system is and how it operates.

So governance is not eliminated – it is relocated. Embedding it in software or protocol does not remove decision-making; it simply moves it and makes it less visible.

And that brings us back to the same question:

What is the mechanism in your model that defines those rules, updates them, and determines their adoption when there is disagreement? You assert that the system should have public auditability – shouldn’t that start with an actual answer about how this alternative will be defined? How is the operator community supposed to assess this proposed “improvement” without any visibility or transparency on its actual definition?

John,

You keep asking me to find the solution inside the RIR system, but that is exactly why you cannot see the answer. It is normal that you cannot find a solution there, because the system itself is the problem.

My point is not that rules disappear, or that no mechanism may exist. My point is that the same institutional class cannot write the rules, enforce the rules, and then also decide how far its own mandate extends. Once that happens, there is no real boundary left. There is only power talking to itself.

That is why “Running-Code Betrayal” matters. The original legitimacy of Internet coordination came from serving working systems, preserving interoperability, and keeping the coordination layer thin. But the RIR model drifted in the opposite direction: instead of a narrow recognition and registry function, it evolved into a discretionary governance structure sitting above already-running infrastructure. At that point, the system stopped protecting running code and started subjecting running code to institutional will. That betrayal was not a strange accident. It was the predictable result of a design that never cleanly separated coordination from governance, registry from authority, or administration from constitutional self-expansion.

That is also why the answer is not more discussion inside the same room, better wording, or cleaner internal ritual. This design was effectively a beta system from an earlier Internet era. It was never built to sit over infrastructure with massive economic weight and global operational consequence. Its institutional code is too old and too structurally compromised for patching to solve the problem. You are asking the failed design to generate the rule that proves it was not a failed design. It cannot do that.

My model is narrower and harder. The common substrate should be carried by a distributed ledger with independent validating nodes, public auditability, transparent rule sets, and visible software behavior. Changes do not become live because a board approves them, a policy room debates them, or an institution declares them legitimate. They become live only through independent node adoption and objective activation. No one rules the registry by talking.

The software example is simple. A developer can publish version 2.0. That does not make version 2.0 the rule for everyone else. If nobody installs it, it is irrelevant. If enough independent operators install it, it becomes the live rule. The author is not sovereign. Adoption is the decision.

And the network already works like this. You decide who you connect to. You decide what software you run. You decide what version to adopt. You decide what routes to accept. The network does not come alive because one institution declares a change valid. It comes alive because independent operators actually adopt behavior across the edges. That is how real Internet coordination already works. My point is to move the recognition layer closer to that logic, not farther away from it.

Everything else belongs elsewhere. Ownership disputes belong to courts. Contract disputes belong to contract law. Sanctions belong to states. Fraud belongs to ordinary law, with only the narrowest objective proofs touching the registry substrate. The uniqueness layer should maintain a common auditable state. It should not also be the lawmaker, the executive, and the judge.

So when you ask me for a solution “within” the RIR system, the answer is simple: there is no durable solution there, and that is exactly what one should expect. The system cannot defeat my argument because to do so it would have to retreat into a thinner, weaker, more mechanical role than the one it has already claimed for itself. It would have to stop being what it became.

That is why patching is theater. Rebuild is the answer.

John, just in case you are so attached to today’s institutions that the answer still seems obscure, let me help you: each operator decides for itself. There is no need for a central authority to decide anything at the registration layer beyond maintaining a common auditable record. The network already works this way. You are free to misconfigure your routers, run bad software, or attack others. That is not a failure of the network, and it does not justify turning the registry into a sovereign. The consequence is simply that others may stop connecting with you, filter you, or route around you, and if you break the law, the police may arrest you. That is exactly the point: technical coordination does not require open-ended central discretion. It requires a shared substrate, visible rules, and independent adoption on what one agrees, Everything else belongs elsewhere.

Lu Heng –

I’m not asking for a solution “within the RIR system.” I’m asking you to describe the mechanism in what you are proposing. You are quite vocal about your concerns with the present RIR system and hypothesize a better way to accomplish the function.

You describe a distributed ledger with independent validating nodes, “visible rules,” and activation through “independent adoption.”

Those initial rules will embed quite a bit of decision-making in the algorithms themselves, so what are the initial rules and thresholds? How will they be defined? Proposing to encode decision algorithms in software doesn’t eliminate governance, but it does make it much less apparent.

You propose public auditability, but that requires transparency – something you are clearly not providing.

This is why your assertions of a better solution for the number registry function presently ring hollow; they are impossible to evaluate when you omit actual details of the architecture being proposed and its distributed decision-making algorithms/thresholds.

John,

You are still confusing three different things.

First, in my model there is no centralized decision-maker at the registration layer. People can write code. People can publish an update. But publishing is not ruling. Nothing becomes live because a board approves it or a room discusses it. It becomes live only if independent nodes actually adopt it. That is the mechanism.

Second, you keep mixing up two very different questions: the initial design of a thinner replacement system, and later scope expansion by the operator itself. Those are not the same thing. Of course the initial redesign requires technical specification. I have never denied that. But that is exactly why it is different from the current RIR problem. My objection is not that no design decision is ever needed. My objection is that the same institutional class cannot keep expanding its own mandate from inside the system it already controls. And because the RIR system is a failed design, the point of trying a second time is to learn from the mistakes I outlined in my seven articles. The very purpose of those seven articles is to spark discussion of a new design.

Third, you keep acting as if “no complete replacement specification has been published in this comment thread” somehow means the present RIR system remains legitimate. That is absurd. A failed bridge does not become sound because the new bridge is not finished yet. A broken constitutional design does not recover legitimacy because its replacement is still being written.

Public auditability does not mean I owe you a finished constitution in a comment box. It means the live system should have visible code, visible state, visible activation rules, and visible behavior. Those things are auditable once implemented. They do not require a central authority to govern the recognition layer.

And the network already works this way. Each operator decides what software to run, what version to adopt, who to connect to, and what routes to accept. If someone misconfigures routers, runs bad software, or attacks others, that does not justify turning the registry into a sovereign. Others may stop connecting, filter the traffic, route around it, or, if the law is broken, the police may act. That is exactly the point: the network does not need a priesthood at the registration layer.

So no, the absence of a finished replacement does not save the current system. It only shows that rebuilding a failed design takes work. The present RIR system lost legitimacy because it turned a thin coordination layer into a body that makes policy, applies policy, and then claims the power to define the scope of its own power. That is the defect. And no amount of demanding a full replacement blueprint changes that.

Lu Heng –

You state that I “keep acting as if ‘no complete replacement specification has been published in this comment thread’ somehow means the present RIR system remains legitimate.”

That is not my position, and it materially mischaracterizes what I’ve said. I am not arguing that the absence of a replacement validates the current system.

Earlier, you specifically said that the RIR model was “tolerable” “so long as it remained thin, bounded in discretion, bottom-up in restraint, and limited to coordination.” That framing treats the issue as one of maintaining bounds in practice, and I do agree that this is a valid concern.

You have now shifted to asserting that the RIR model is structurally invalid – that’s the unproven assertion that you use as an argument for why it must be replaced entirely by your new scheme.

My position is that participatory self-governance is quite capable of being bottom-up, accountable to the community, and bounded by its own determination of the appropriate limits of discretion. I’ll be the first to acknowledge that doing so takes significant work and happens to varying degrees in the present RIR system, but it does happen – and will occur in a more consistent manner when the community’s work on an updated ICP-2 / RIR Governance framework is completed later this year [1], which will significantly enhance the community’s ability to ensure that the system remains focused on and operates within its mandate. Community-based self-governance is not automatically perfect, but I do believe – as you earlier said – that it can be tolerable if it operates with reasonable discretion and constraint.

However, now your argument against the legitimacy of the RIR system is based on the assertion that an institution is not legitimate if it defines its own scope of activities. This is a very strong assertion, and as I noted, I fundamentally disagree, since it effectively precludes all forms of self-governance.

You fail to acknowledge the distinction between the electorate and the organization, and yet this distinction is essential, as it allows participatory self-governance to function successfully across thousands of corporations, standards organizations, membership organizations, and even governments – organizations with a wide range of scope, authority, and mandate. The organization does not govern itself; it has an electorate that provides the oversight.

Your present and much stronger assertion is that participatory self-governance – which does function effectively across a wide variety of institutions – is inherently invalid in the specific case of the Internet number registry system, and that avoiding what you describe as “running-code betrayal” requires replacing it with a fundamentally different architectural model.

That is an extraordinary claim given the abundance of successful self-governed organizations. It is not self-evident, and it has not been demonstrated.

You have not proven that participatory self-governance cannot provide effective constraint for the RIR system. You have not demonstrated that your proposed alternative can do so. And you have not defined that alternative in a way that allows others to evaluate how it would operate in practice and in comparison to the present system.

You have suggested pushing more of the boundary into architecture – “It needs to maintain a common, auditable substrate on which interoperability depends. That substrate can be carried by a distributed ledger with independent validating nodes, public auditability, transparent rule sets, and visible software behavior.”

Those rules still have to be defined. The thresholds for validation and adoption still have to be determined. The system still has to evolve over time, which means there must be a way to introduce changes and determine when they take effect. Even in a distributed or protocol-based system, those functions do not disappear – they are decisions about what the system is and how it operates.

I understand the distinction you’re drawing between the initial design of such a system and its ongoing operation, and I agree that they are not the same. But the initial definition is not incidental – it is foundational. It determines what the system does, how it behaves, and how it will evolve in practice.

So the issue is not whether alternatives should be explored – they should. The issue is that you are now asserting that the current system is categorically invalid without establishing the basis for that claim, and then, from that basis, advancing an alternative that remains undefined, unevaluated, and unproven.

[1] https://aso.icann.org/icp-2-review/

John,

There is no shift in my position, and there is no “my new scheme” here. My seven articles make a simpler point: the present RIR system has already failed as a legitimate thin coordination layer, so a successor design must be discussed. That successor is not mine in any proprietary sense. It belongs to the world that will have to build what comes after. Whether that successor is fully specified today has nothing to do with whether the old design is already broken.

You also keep conflating decision with centralization. Those are not the same thing. The need for decisions does not justify a central authority. Decisions can be individual, local, and distributed. The network already works that way: each operator decides what software to run, what routes to accept, who to connect to, what filters to apply, and whether to keep carrying a bad actor’s traffic. Those are real decisions, but they are not made by a sovereign over the whole network. The registration layer should be pushed closer to that same logic: a common auditable substrate, not a central authority whose decisions automatically bind everyone. So when you argue that rules, thresholds, or updates imply centralized governance, you are smuggling in the very conclusion that has to be proven.

That is why your electorate-versus-organization distinction does not rescue the RIR model. The issue is not whether people may deliberate. The issue is whether the same institutional ecology gets to make policy, apply policy, and also define how far that policy power reaches. A bookkeeper may keep the book. That does not make the bookkeeper the ruler. In the early Internet, a more centralized ledger was understandable as a practical bookkeeping convenience because the alternatives were limited. But no one ever authorized that bookkeeping convenience to turn into sovereignty. That later leap was the registry layer pulling itself up by its own bootstraps — or, more plainly, the scorekeeper deciding he owns the game. That is exactly where running-code betrayal begins.

And I do not accept your repeated suggestion that self-governance in this layer remains basically sound but imperfect. What I have already laid out with APNIC and AFRINIC is not evidence of effective self-restraint. It is evidence that the self-restraint failed. Pointing to yet another governance document after all this does not change that. It is like a man falling from a hundred-story building saying “so far, so good” when he passes the thirtieth floor.

So the issue is not whether alternatives should be explored. Of course they should. The issue is whether a system that ceased to be thin, bounded, and subordinate to running code can still claim legitimacy simply because its defenders promise future reforms. My answer is no. The failure of the present design does not wait for the completion of its successor to become visible.

Lu Heng –

You continue to assert that the RIR model is uniquely invalid because it involves participatory self-governance, yet you have not explained why that form of governance – which works across thousands of corporations, standards organizations, membership bodies, and even governments – somehow becomes inherently illegitimate in the specific case of the Internet number registry system.

That is the central gap in your argument. You are not simply criticizing outcomes or implementation – you are asserting that the model itself is invalid here. If you want others to give that premise any credence, it requires a clear explanation of what makes this case fundamentally different – something you have not provided among all your responses.

You also state that there has been no shift in your position, but earlier you described the RIR model as “tolerable” “so long as it remained thin, bounded in discretion, bottom-up in restraint, and limited to coordination.” That framing recognizes a model that can function when properly constrained. You now assert that the system has failed and is structurally invalid, and from that conclusion dismiss any effort to strengthen its governance. That is not the same position, and the transition between them remains unexplained.

I do understand that your view is informed by specific experiences you’ve had with the RIR system where you believe it has failed you. But that experience is not representative of the system’s overall performance. For the overwhelming majority of participants, the RIR system has been a sustained and demonstrable success – providing stable, reliable, and effective coordination over time. In that context, your ardent declarations that the system has failed, is beyond reform or redemption, and has in fact always been categorically invalid are both internally contradictory and lack the reasoning necessary to provide a compelling basis for replacement.

That said, I’ll reiterate that exploration of alternatives is entirely reasonable. It provides useful comparison points and helps drive continued improvement in the governance of the existing system. As you’ve noted, this issue will ultimately come down to operator choice: if operators conclude that a different model serves them better, they will adopt it. In the end, that is the practical test that will decide.

John,

What do past years of operation elsewhere have to do with whether this system has legitimacy today, here? Very little.

And to be clear, I have never argued that the present RIR model “must be replaced entirely by my new scheme.” My point is simpler: this system has failed as a legitimate thin coordination layer, so a successor design must be discussed. That successor is not “mine.” It will belong to the world that has to build what comes after. Whether the next system is fully specified today has nothing to do with whether this one is already broken.

There is also no contradiction in my position. When I said the RIR model was tolerable so long as it remained thin, bounded in discretion, bottom-up in restraint, and limited to coordination, that was a condition, not a permanent blessing. If those conditions fail, toleration fails with them. And because of the design defect of the system, combined with ordinary human incentives, those conditions do fail. A structure that lets the same institutional ecology make policy, apply policy, and define the scope of its own power does not stay thin for long. The fact that some earlier leaders exercised more restraint does not prove the model is sound. It only shows that a flawed design can coast for a while before its incentives fully express themselves.

That is also why your comparisons to corporations, standards bodies, membership organizations, and governments do not answer the issue. Those institutions openly claim governance. The RIR layer never borrowed legitimacy from being a miniature polity. It borrowed legitimacy from doing a much narrower job: coordination in service of running code. That is what makes this case different. The registry was tolerated as a clerk, not as a sovereign. A centralized ledger may have been historically understandable as bookkeeping. But the leap from centralized bookkeeping to centralized authority was never granted by the network. That is where running-code betrayal begins.

You also keep conflating two different things: decision and centralization. Those are not the same. The need for decisions does not justify a central authority. Decisions can be individual, local, and distributed. The network already works that way. Each operator decides what software to run, what routes to accept, who to connect to, what filters to apply, and whether to keep carrying a bad actor’s traffic. Those are real decisions, but they are not made by a sovereign over the whole network. The registration layer should be pushed closer to that logic, not farther away from it. So when you argue that rules, thresholds, or updates imply centralized governance, you are smuggling in the conclusion. The fact that decisions exist does not mean they must be universally imposed by one institution.

And no, this is not just some private grievance that failed to be “representative.” As I wrote elsewhere(https://heng.lu/on-why-i-am-certainly-not-the-first-victim-and-likely-the-first-survivor/), I am certainly not the first victim, and likely the first survivor. The point is not that my experience is statistically representative in the neat way institutions prefer. The point is that systems built on asymmetric power, weak accountability, procedural insulation, and repeated abuse produce many victims, but most are too isolated, too exhausted, too poor, or too exposed to recognition risk to turn private injury into a visible public pattern. Silence under asymmetric power is not proof of legitimacy. It is often proof of fragmentation. That is precisely why the [NRS Case Archive](https://nrs.help/case-archive/) exists.

That is also why your confidence in participatory self-governance here is misplaced. The RIR world has already given us enough evidence that this structure does not reliably self-bind. Calling it a success for the overwhelming majority proves very little. North Korea has lasted longer than the RIR system and can point to ritualized support as well. The question is not whether a structure can persist and claim consent. The question is whether you actually believe that proves legitimacy. I do not.

So yes, operators will decide what comes next. That future choice is real. But it is hard to believe they will choose an institutional layer that performs double extraction on their business while sitting at a chokepoint over it, speaking in a language most of them do not use, and asking them to trust open-ended discretion over assets on which their operations depend. In any realistic choice set, especially for operators, the present RIR form is doomed. But that future choice does not retroactively restore legitimacy to the current model. It only determines what replaces it. The fact that a successor is still being discussed does not rescue a structure that has already shown why it cannot remain thin, bounded, and subordinate to the network it was supposed to serve.

[1]: https://nrs.help/case-archive/
[2]: https://heng.lu/on-why-i-am-certainly-not-the-first-victim-and-likely-the-first-survivor/