Needs-based IPv4 transfer requirements contribute to WHOIS registry inaccuracies. Relaxation of those requirements has not led to rampant "bad behavior." ARIN policy can do a better job of addressing community concerns.
Two weeks before depletion of the American Registry for Internet Numbers (ARIN) IPv4 free pool in September 2015, we published an article recommending that the ARIN community adopt transfer policies that encourage trading transparency and improve whois registry accuracy. By eliminating needs justification as a pre-condition to updating the registry, we argued that ARIN could eliminate existing policy-based barriers that have kept many otherwise lawful and legitimate commercial transactions in the shadows.
At that time, the majority of ARIN's active members participating in its policy development processes strenuously objected to any policy proposal that relaxed needs requirements for IPv4 block transfers. During 2014 and 2015, eight such policies were proposed. All of them were abandoned for lack of support.
In the public comment period, opponents of these proposals asserted that rampant fraud, hoarding, and speculation in the market would follow adoption of policies that relaxed needs-based requirements for IPv4 transfers. These arguments prevailed within the ARIN community even though there was no data or other evidence to support them.
Experience Leads to Experimentation
After September 2015, attitudes within the ARIN community shifted. Rigorous needs-based requirements imposed real-world market impediments for smaller network operators while the largest network operators were able to readily acquire substantial quantities of address space. At around the same time, stiff opposition to relaxing needs justification for all transfers began to fade.
In 2016, three policies were introduced that collectively reduced transfer utilization thresholds and needs criteria. All were overwhelmingly supported by the community and adopted by ARIN the following year. The core of these new policies appears in Sections 8.5.4 and 8.5.7 of ARIN's Number Resource Policy Manual ("NRPM").
Section 8.5.4 of the NRPM allows network operators without any existing address holdings to obtain a /24 block without any demonstration of need. This dramatically reduced the burden on start-ups, downstream ISPs and end users to obtain an initial small IPv4 block via the transfer market.
Section 8.5.7 of the NRPM allows any organization who can demonstrate 80% utilization of its current IPv4 address space to receive a transfer that would double the size of its then-current holdings — up to a /16 (65,536 numbers). Under this policy, the transfer recipient does not have to convince ARIN that the recipient will attain any future utilization threshold as a condition to the transfer. There is, however, a cap on the quantity of address space any one organization can acquire pursuant to this policy — an organization may not receive more than 65,536 numbers in any rolling six-month period.
According to a presentation at the ARIN 39 meeting in April 2017, approximately 97% of transfers to date would have qualified for this policy. This means the policy effectively eliminated needs justification for most market participants. But there was relatively little dissent during the policy discussion and comment period. The fear of fraud, hoarding, and speculation that had scuttled prior liberalizing transfer policy proposals had no sway.
Although this outcome is an abrupt shift in policy position, it aligns with actual market activities. Fraud, speculation and hoarding on the buying/receiving side of transfers simply isn't a factor. In his presentation on IP addressing at ARIN 39, APNIC scientist Geoff Huston noted that he saw no evidence of speculation based on his review of historical transfer data. Six months after adoption of relaxed needs justification policies there is still no evidence of market-distorting bad behavior by transfer recipients.
In contrast, these new policies have been largely successful in enabling smaller network operators to access and participate in the market to obtain the address space they need to operate their businesses.
Collateral Damage: Whois Registry Accuracy
The success of these limited relaxed-needs policies requires a close look at whether any needs-based requirement is desirable when operating under IPv4 market conditions, where supply is unable to keep up with demand, and hidden transactions are introducing registry inaccuracies.
In her presentation on whois registry accuracy last spring, Leslie Nobile described whois accuracy as a key responsibility of the RIRs and vital to the operation of the Internet. She noted that network operators rely on whois to resolve technical and abuse issues, law enforcement relies on whois in its investigations, and greater registry accuracy helps protect against number hijacking. She cautioned that, unless changes are made, whois accuracy would likely worsen, not improve, over time.
One important change that would advance whois accuracy is the elimination of needs-based requirements for all IPv4 transfers. The experiences of other Internet registries bear out this result.
When RIPE NCC decided to eliminate its needs requirements for intra-RIR transfers in order to encourage more transparent IPv4 market transactions, one of the key cited benefits was greater whois registry accuracy. Imposition of needs requirements is distorting the public reporting of marketplace activity, and contributes to a whois registry inaccuracy by encouraging market participants to enter into transactions that avoid reporting RIR registry updates.
Since 2011, there have been over 50 large block transfers (i.e., greater than 250,000 IPv4 numbers) recorded in the ARIN registry. For this purpose, a "transfer" means 1 or more IPv4 blocks transferred between the same two parties and registered on the same day. More than half of those transfers — comprising nearly 50 million numbers — are attributable to just ten buyer/seller "pairs" who engaged in two or more transfers over months or years.
In some cases, the same contracting parties may have entered into separate contracts for each transfer (either as part of completely separate deals or the result of a series of maturing options in a single deal). In other instances, parties entered into a single transaction that involved numbers being registered over time in order to better accommodate ARIN's needs requirements, which frustrates the very purpose and function of the whois registry (accurate recordation of who controls allocated IP address space) and the needs-based policy constraint (limiting the quantity of address space one entity can acquire).
These multi-step transactions are just part of a larger problem. Evidence suggests that there is a non-insignificant number of alternative transactions where the parties have agreed to forego the registration process altogether in order to avoid the ARIN transfer hoops. E.g., long-term leases, corporate acquisitions, or straight sales where buyer and seller simply agree to take the risk of conveying beneficial use without updating the RIR registries.
In all of these cases, the net result is an ARIN registry that does not identify the real parties in control of specific IP address space. This hampers efforts by network operators to resolve technical coordination issues and impairs law enforcement when conducting investigations that rely on whois data to trace IP addresses to identifiable organizations.
Onward Progress – Reframing the Problems and the Solutions
The collective experience of the RIRs, including ARIN, is that neither relaxing needs requirements nor eliminating them altogether causes hoarding or speculation or any other nefarious activity as long as there is a means to ensure that receiving organizations are lawfully organized and operate IP networks. When IPv4 numbers were being allocated from the free pool, constraining allocations and assignments based on demonstrated need was a useful means to stave off exhaustion and fairly allocate limited (but free) resource supply. Now that the free pool is exhausted, supply of new address space must be stimulated through significant capital outlays, and conveyed under structured contracts (with the associated transactional and counterparty risks) — all of which introduce considerable barriers for organizations seeking additional IPv4 address space.
With these market realities, transfer policies that focus on vetting the legitimacy of the parties' standing to participate in a transfer without any additional needs constraint would represent a material improvement for all market participants. Existing policies as applied by ARIN's staff on the source side of designated transfers are working very well. On the recipient side, however, policies should be reshaped to focus only on validating the legal standing of recipients, and the existence of their operational networks without imposing judgments on the quantity of address space they should buy. This would reduce the number of hidden transactions, encourage all market participants to submit their transactions for registration, and still provide adequate safeguards against pure financial speculation.
In a post-free IPv4 pool world with limited supply of IPv4 number blocks, it's time to retire needs justification for IPv4 transfers and re-focus transfer policy on addressing the real market and related registry challenges.