Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
|
||
|
||
At a recent ARIN meeting in Arlington, Texas, I experienced a familiar feeling. The room was full of experienced people discussing policy details with great seriousness, yet outside the walls, the Internet continues to evolve at a speed that governance structures struggle to match.
The contrast felt strangely familiar. It reminded me of university lectures where students sat in front of modern computers while a professor wrote code slowly on a chalkboard. The knowledge was correct, but the method belonged to another era.
Internet governance sometimes feels the same.
For decades, needs-based justification has been a central principle of IP address allocation. Organizations requesting IPv4 resources had to prove operational need. In the early Internet, when IPv4 scarcity was already visible, this system made sense. The goal was simple: ensure fair distribution of a limited resource.
But the Internet has changed dramatically since those policies were designed.
IPv4 exhaustion occurred globally between 2011 and 2019, depending on the region. Since then, the only meaningful supply has come from transfers between existing holders. Yet many registries still apply the same justification requirements to transfers that once governed initial allocations.
This creates friction in a market that now operates very differently from the Internet of the 1990s.
Today the five Regional Internet Registries (RIRs) interpret justification requirements in different ways.
RIPE NCC removed most justification requirements for transfers more than a decade ago, prioritizing transparency and registry accuracy over manual review. ARIN continues to enforce strict needs-based policies, requiring documentation of operational use even in transfer scenarios. APNIC follows a hybrid model, while LACNIC and AFRINIC maintain stricter interpretations of justification.
The result is a fragmented system. The same IPv4 transfer that can be completed quickly in one region may take months in another.
In practice, markets respond to efficiency. When policies create friction in one region, operators simply move activity elsewhere.
Modern networks are fundamentally different from the infrastructure the original policies were designed for.
Today’s Internet is elastic, virtualized, and global. Cloud-native systems allocate and reallocate resources dynamically. Infrastructure is software-defined, and network capacity scales in real time.
Operational reality has shifted from static allocation to fluid resource management.
Technologies like BGP, DNS, and RPKI already operate across regional boundaries. A router announcing a prefix does not care which registry originally allocated the address. The operational Internet functions as a single global system.
Policy, however, still follows regional silos.
Strict justification requirements can create unintended consequences. Legitimate operators may face delays or documentation hurdles when acquiring address space. At the same time, the market adapts through alternative mechanisms such as leasing or brokerage services.
These developments are not signs of policy failure. They are examples of how the Internet evolves when demand outpaces governance frameworks.
What the system increasingly needs is not more gatekeeping, but greater transparency, automation, and verifiable registry data.
Registries were originally designed to coordinate global resources and maintain trust. In a modern environment, that role may be better served by systems that verify legitimacy and maintain accurate records rather than requiring extensive pre-use justification.
RIPE NCC provides an example of how policy can evolve.
When justification requirements for transfers were removed, some feared speculation or abuse. In practice, the region saw steady transfer activity, transparent registry records, and active participation from major infrastructure operators.
More recently, RIPE has introduced automated self-service registry processes, reducing manual intervention while improving accuracy and auditability.
Automation did not weaken governance. It strengthened it by aligning policy with operational reality.
The Internet no longer grows in predictable, hardware-based increments. It grows through software, cloud infrastructure, and globally distributed systems.
In this environment, governance structures designed around static allocation and manual verification increasingly struggle to keep pace.
RIRs remain essential institutions. But their role may need to evolve from administrators of scarcity to coordinators of transparency.
That means focusing on:
The Internet has matured far beyond the environment in which its governance structures were originally created.
The question is no longer whether the Internet needs coordination. It does.
The question is whether coordination should continue to rely on permission-based models designed for another era.
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byCSC
A World-Renowned Source for Internet Developments. Serving Since 2002.
It’s worth remembering that those differences in policy across the regions are not accidental – they arise from community-based policy development.
Each RIR operates under policies created through open processes by the operators and organizations participating in that region. As a result, different communities sometimes reach different conclusions about how resources should be managed, including transfer policy and justification requirements. That bottom-up approach means policies reflect the operational judgment of the networks that actually build and run the Internet, rather than rules imposed externally.
If the operator community in the ARIN region wished to change transfer policy, there’s little doubt they could do so through the same process that created the current rules. In fact, the ARIN community has relaxed specific transfer criteria multiple times over the years while choosing to maintain the basic needs-based structure.
It’s also worth noting that similar frameworks exist in other industries managing scarce resources. Even where rights are obtained through market mechanisms, such as spectrum license auctions, organizations are often required to demonstrate the ability to utilize the resource in order to obtain or transfer those rights.
John, thank you for the thoughtful response.
You are right that policy differences across regions reflect genuine community choices, and I want to be clear that I am not arguing against that process.
Community-driven governance is worth protecting.
Where I would gently push back is on the outcomes rather than the process itself.
The RIPE experience since 2012 offers fourteen years of evidence that removing needs-based justification did not lead to worse stewardship.
Resources still flow to operators who use them, and the registry remains accurate.
That does not settle the debate, but it is hard to look past as a data point.
On the spectrum comparison, I think there is an important difference worth noting.
Spectrum utilization requirements exist because unused spectrum creates a real problem for other operators who cannot access idle frequencies.
IPv4 addresses do not create the same interference when unrouted.
And there is a practical point worth adding here.
When an operator makes a serious financial commitment to acquire IPv4 resources, they are not doing so speculatively.
That level of investment only makes sense when you know exactly what you need the addresses for and how you will use them.
The capital commitment itself is already a demonstration of intent, and arguably a more reliable one than a one-time document review.
Your reply to Sophia contains the framing I find most useful.
Separating institutional continuity from allocation philosophy makes the path forward clearer.
An RIR can have strong, resilient governance structures while also asking whether its transfer policies reflect how the market actually works today.
Those do not have to be the same conversation, and keeping them separate might be what allows both to move forward productively.
The goal, I think, that most people in this space share is a system that is accurate, accountable, and resilient enough to serve the internet as it exists now.
I suspect we agree on more of that than the policy differences suggest.
Vincentas, this is an excellent and timely analysis — especially your point about RIR policy fragmentation creating friction that operators simply route around.
What interests me is the layer beneath: when policies diverge, who decides in a crisis? Automation and transparency can replace gatekeeping, but even the most automated system still rests on institutional decisions — about jurisdiction, about succession, about what happens when an RIR’s legal home becomes contested.
The question isn’t just whether we need permission. It’s whether the institutions that remain have the accountability structures to match the speed and scale of the networks they support.
Sophia, you raise an important point about institutional resilience. As things stand today, each RIR does depend on the stability of its legal and operational institution – and as you’ve noted elsewhere, that dependency and the associated continuity expectations are not always clearly articulated. That is one of the areas being examined in the current ICP-2 / RIR Governance Document update work. Improving clarity around institutional resilience and continuity of operations across RIRs is a sensible evolution of the framework for the Internet Number Registry System, particularly in light of recent experience. Providing greater certainty of Internet numbers registry services for everyone is the top priority of that effort. Note that ensuring continuity of registry operations needs to stand on its own as a core design goal of the system and is largely orthogonal to regional policy differences. Even if there were no diversity in transfer policy today, as Vincentas might prefer, true community-based RIR governance means that different transfer policies could still emerge in the future and therefore must be anticipated and accommodated in this effort.
Sophia, thank you for taking this further. You are right that the accountability question does not go away when you simplify permission requirements. It just needs to be answered through different mechanisms. What gives me confidence here is that the tools for operational accountability have genuinely improved. RPKI, real-time abuse monitoring, and registry accuracy checks now do continuous work that a one-time justification review simply cannot. The registry function, knowing who holds what, remains as important as ever. But the permission and accountability layers are separable problems, and I think we are better served by investing in the latter. Your point about institutional resilience is the harder and more important question. The healthiest long-term outcome is probably a system where the operational layer is automated enough to function reliably regardless of how quickly any individual institution can respond. That does not replace institutions. It makes them more durable by reducing the points at which speed and scale create pressures they were not designed to handle.