The IP Address Governance Regime

To understand the controversy surrounding IPv4 address depletion and transfer markets, some description of current institutional arrangements around address management is necessary. Address assignments are made in a hierarchical fashion. At the top of the hierarchy is ICANN, whose IANA function distributes large blocks of 16,777,216 addresses (known as /8’s) to one of five regional Internet address registries (RIRs). The RIRs then accept applications from organizations with networks that need addresses within their territory. Some larger blocks may be assigned directly to end user organizations, but most will go to Internet service providers who will then re-assign them to their customers.

RIRs were created in the 1990s as the Internet protocols began to be widely adopted. The first Regional Internet Registry, RIPE-NCC, was created in 1991 to serve the European region. In 1995 APNIC was created as the RIR to serve the Asia Pacific region. Both were incorporated as private sector nonprofits. In 1997, parallel to the creation of ICANN, the address administration functions performed by several U.S. government contractors were privatized and placed in the hands of a new nonprofit entity known as the American Registry for Internet Numbers (ARIN). All three of the RIRs rely on a private sector-based, contractual model of governance.

The creation of the RIRs led to tighter and more formalized address allocation and assignment policies, and more careful registration and tracking policies. Before they were created, however, a large portion of the IPv4 address space had already been assigned or allocated, perhaps as much as half. Many of these “legacy allocations” made before 1997 are still held without any contractual obligations.

A Common Pool Model?
The RIRs have developed a consistent ideology about address management policies, which are codified in their own policy documents. Address resources are considered a “shared public resource” and the RIRs are considered their “stewards.” Addresses are said to be “loaned” to private users, not sold, and users are not supposed to gain any property rights in an address block they are granted. Although RIRs finance themselves via address-related fees and membership charges, they insist that members are not “buying” addresses but are merely paying the RIR for services associated with administering the address space and its registry. The RIRs formally prohibit assignees from reselling or transferring the addresses directly to other private users. But the line between permitted and not-permitted transfers is gray, not bright and clear. Internet service providers who hold address allocations sell services commercially to their customers, and among these services are fixed IP addresses, with specific charges associated with addresses. Also, when companies with IP address allocations or assignments are merged or acquired, RIRs allow the address resources to be transferred along with ownership of the company.

The RIR ideology of resource stewardship has some similarities to the economic model of a common pool resource. The common pool model is used to govern natural resource use in other contexts, such as unlicensed radio spectrum, forests, water or marine fisheries. Common pool governance is typically employed when two conditions are met: consumption of the resource is rival (i.e., one person’s use or consumption prevents another person from also using/consuming it), and it is difficult to exclude people from appropriating the resource (which makes the model of markets based on private property rights difficult to apply). The task for a governance agency is to regulate appropriation of the resource in a way that maintains its value.

Under certain conditions, common pool governance has very good economic and social properties. Simple, collectively applicable limits on the number of trees one can cut or fish one can remove, for example, conserves the resource pool while maintaining easy access to the resource and very low transaction costs. In the case of unlicensed spectrum, anyone who wants to offer service in an unlicensed wireless band can enter freely without prior permission from regulatory authorities. Appropriation is governed by technical limits on transmission power and protocol specifications, which prevent any single transmitter from hogging too much of the spectrum resource.

Despite the appealing ideology of common resource stewardship that appears to underlay RIR policies, there are major failings in the application of the common pool model to IP address resources. Address consumption is rival, but it is not that difficult to exclude unauthorized people from using them. Under the RIR regimes, appropriation from the common pool is not based on a simple and uniformly applicable appropriation limit, but on complex, expensive, case-by-case administrative procedures. In order to get resources from the address pool, applicants must individually request resources from the RIR and demonstrate their “need.” The RIR does engineering studies of the applicant’s plans and demands a lot of commercially sensitive information. This is more like a central planning regime than classical common pool governance. Under conditions of intense scarcity, such a process is not only costly but inherently inaccurate because of the asymmetry of information between the requestor and the granting agency.

Another crucial difference between the RIR regime and what we normally think of as common pool management is that when IP addresses are not used by those to whom they have been allocated, they do not automatically return into the common pool for use by others. Those who have been allocated or assigned address resources retain exclusivity over an address block regardless of whether they are using the resources. Cumbersome administrative processes are required to move resources from a nonuser to a prospective user. In a true common pool model, the IP address space would work like a gigantic DHCP address pool. Organizations would grab addresses (like catching fish) only when they were actually using them, and as soon as they were not using them the addresses would be released back into the common pool for use by others. That is not how things work. Organizations that have been given IP addresses retain them until they choose to give them up, and users have very weak incentives to return addresses to RIRs. If they don’t give them back, nothing bad happens. If they do give them back, they incur both administrative costs (the cost of altering their records and interacting with the RIR) and opportunity costs (the cost of foregoing future use of the addresses). RIRs’ ability to monitor the actual usage of assignments is limited. Even if they did have perfect information about actual usage and “needs” of applicants, their enforcement powers are weak. They cannot impose financial penalties on organizations; they can only terminate a service contract and threaten never to assign the organization any more addresses. Even this does not directly deprive the users of addresses; it only signals to Internet service providers that the organization is not the legitimate holder of the address block, which may lead ISPs to refuse to route packets to those addresses. Another crucial limitation on RIRs is the large number of legacy address allocations which are held without any contractual obligations. Legacy allocations were made before the RIRs existed, and RIRs lack the authority to recover them until and unless the holders of the address resources voluntarily choose to sign “Legacy Registry Service Agreements.”

In sum, the RIR regime captures only half, possibly less, of the standard benefits associated with common pool management. It regulates appropriation effectively, but it raises the cost of access and does a very poor job of facilitating reclamation and reuse.

Latent markets and Unused Resources
Given the major imperfections in the realization of common pool objectives, it is not surprising to discover latent markets for address resources and underground transfers taking place. In June 2008, for example, an item on eBay appeared offering “IPv4 swamp space – one Class C block (a /24)” for US$ 1,000. The same month, a private sector participant stated publicly on the ARIN Public Policy Mailing list, “I have been aware of people …buying, selling and using subterfuge to obtain IP allocations for as long as I have been in the industry (the past 8 years).” The examples provided by this person are worth quoting at length:

a. Three companies merged into one. For many months after they merged they continued to interact with ARIN as separate entities, obtaining far more IP allocations than they would have been able to as a single entity. Even today, this single entity (which has now recently merged again), interacts with ARIN using two separate, but related entity names and two separate ORG IDs.

b. Every month I run into people who are willing to sell me their /18, /19, /20 for a fee. It is my understanding that such transactions are usually structured so that other [usually worthless] assets or an entire shell entity are included in the sale to pass ARIN scrutiny.

c. For a time, I did work for an entity that had previous bad blood with ARIN… and managed to obtain 3 /18s on the after market. From what I gather, this is not all that unusual.

d. There are consultants out there who, for a fee, guarantee you will get an IP allocation from ARIN. They are able to accomplish [this] because they control a large amount of IP space for entities that they work for, and they SWIP out space from those entities to the entity paying them for the direct allocation. …

e. ARIN members continue to report IP usage by customers that have long since left their network, inflating their actual need and utilization percentages, allowing them to obtain unnecessary allocations from ARIN.

As our analysis of incentives above suggested, reclamation of unused IP addresses should be a weak point in the regime. Empirical evidence supports this expectation. There are strong reasons to believe that a very large part of the allocated IPv4 address space is unused, and thus eligible to be transferred. This is especially true in the North American region. An OECD report cited Geoff Huston, Chief Scientist at APNIC, that 90% of RIR-allocated space is routed while only 40% of legacy space is routed. The same OECD report cites surveys that examine the population of visible IPv4 Internet hosts, and find that “only a low percentage of advertised addresses respond, which could mean that even among routed address space, significant address space is unused.” One study finds that only 3.6% of allocated addresses are actually occupied by visible hosts.

In the legacy allocations especially, it is well known that large swaths of unused address blocks are so underutilized that they can be surreptitiously taken over by spammers, illegal pornographers, or other Internet malefactors with a need to operate under cover. An antispam website from 2004 maintains a long list of hijacked IP address blocks, which includes an entire /8 originally allocated to Halliburton in the 1980s. An article by Ronald F. Guilmette documents how two /16 address blocks, containing tens of thousands of IPv4 addresses, were hijacked from NASA and a small software company and used to facilitate spamming. In these two cases, the address blocks were essentially abandoned, as their delegated users had completely lost track of their status and were not even aware of their appropriation by a third party.

When the Free Pool Runs Out
The model of common pool resource management assumes that there are free, unallocated resources in the wild, and the task of the resource manager is to set appropriation rules. The appropriation rules of the RIRs were based on a “justified need” criterion where assessments of “need” were based on simple engineering studies.

As the IPv4 free pool runs out, the justified need approach to IPv4 address management loses its relevance. As the number of unallocated blocks approaches zero, IPv4 addresses can only be acquired through transfers from one holder of address resources to another, not through initial appropriation from a free pool. Traditional need assessment methods are of no relevance in this situation. In the post-free pool world, engineering plans that “justify” the use of a certain number of addresses may or may not justify taking addresses away from someone else. To allocate the resource under these new circumstances, an RIR would have to decide which plan was more important or more valuable, and remove addresses from one user to give them to another. To justify transferring address resources from one user to another, one must make judgments about relative need and the social value of the resource in alternate uses.

The only feasible way to discover how valuable the address resources are in alternate uses is to institute competitive bidding for them. The alternative to competitive bidding is an ongoing series of “beauty contests” in which a centralized agency tries to assess the relative merit of every internet-related business in their region. In addition to more closely scrutinizing existing uses and users, RIRs would also have to give themselves more power to take away resources from parties they decided didn’t really need them, or were needed more by someone else. Such a policy would make RIRs into dictators of who could enter the Internet economy and which business plans were more valuable than others. RIRs lack the authority, the resources and the knowledge to judge relative need and aggressively re-allocate address resources across an entire world region. Also, RIR decisions to take away addresses from one party and give them to another would likely become ensnared in controversies and litigation. Future resource allocation must rely on decentralized judgments about the value of resources by the actual holders of address resources. RIRs should act more as title agencies than resource managers.

Next: A comparative analysis of address transfer policies at the three main RIRs.


Comments are closed.