Can’t sell your IPv4 numbers? Try leasing them.

In a “policy implementation and experience report” presented at ARIN 31 in Barbados, ARIN’s staff noted that they are seeing “circumstances” related to the leasing of IPv4 number blocks.  At the recent INET in Denver, ARIN’s Director John Curran alleged that there is a “correlation” between address leasing activity and organizations that have been unable to complete specified transfers through the ARIN process, which requires needs-based justification.

The issue of leasing – or rather sub-leasing, because ARIN is already leasing the addresses to its members – is yet another symptom of the growing scarcity of IPv4 addresses. Subleasing is interesting, however, as another example of the way RIR’s bureaucratic control of transactions between willing sellers and buyers can lead to workarounds that make the Whois directory less accurate.

It’s unclear exactly how ARIN is aware of this nominally private activity.  Perhaps someone involved is tipping ARIN off, or maybe its staff is observing instances where the ASN information associated with a routed block is changing while the contact information in the ARIN Whois directory remains the same.  In either case, a greater degree of transparency about refused transfers and the basis for ARIN’s determination would be welcome.  On a related note, we sought to shed some light on the emerging transfer market in a paper last year.

What is troubling, for ARIN at least, is that the subleasing of addresses is taking place outside of the RIR address governance regime. It is understandable that ARIN would react to something that might undermine its control over address space. Part of ARIN’s power stems from its ability to identify who is allocated or assigned what address block(s) via its Whois Directory Service. Practically, the Whois has also been used to identify the party actually routing an address block, although technically this is a distinct activity over which ARIN claims no control.

From an operational perspective, if the organization actually routing an address block is unable to be contacted this could be detrimental to administrators attempting to resolve networking issues, and to parties seeking to use the Whois for law enforcement or related policy matters. However, at this point it is unclear if lessees are actually unreachable. In fact, one could argue that lessors are in a better position to keep accurate lessee contact records than the address registry – they are invoicing their lessees, we assume! Whether, and under what conditions, they would release contact information is basically unknown at this point.

For now, ARIN does not seem to be too alarmed. It suggests three potential policy solutions:

  1. Decide this is not an issue for ARIN to deal with
  2. Create new policy requiring that the actual party using the addresses be listed as an operational contact in Whois
  3. Create new policy that would prevent leasing of address space without needs based justification.

Again, absent any data on leasing, it is hard to say which way ARIN or its membership might go, although the third option seems increasingly unlikely as ARIN moves closer to IPv4 exhaustion and the RIPE region is contemplating elimination of needs based justification entirely.

It may just turn out that private subleasing transforms the address transfer market.  As Addrex’s Charles Lee pointed out at INET in Denver, all kinds of parties lease assets (including ARIN leasing addresses to its own customers). It serves a useful business purpose and is not a bad thing per se.  The entry of large subleasing companies without any Internet operations, Lee noted, might transform the address market.  It could create entirely new ways of allocating addresses and provisioning post allocation services.  It might lead to innovative product offerings such as providing means to mitigate the technological obsolescence of IPv4. We just don’t know. What we know for sure is that it will create governance dilemmas.

12 comments

  1. Huasong Zhou

    In addition to the operative and administrative drawbacks mentioned above, abusive use of the blocks by the leasee can degrade the space. Recently, while speaking at INET Denver on this topic, Lee Howard of TWC explained that he could only think of one reason why someone would lease for a short period of time… and those addresses will be less re-sellable afterwards. Because of this, it has been our experiences that most prospective sellers are not interested in leasing.

    • Brenden Kuerbis

      Sure. But, assuming a company is in the _business_ of leasing, one would think the lessor would qualify lessees to avoid scenarios that degrade assets. Again, one has to think of incentives here.

  2. John Curran

    Brenden –

    A fairly good summary of the report and related issues. You do note that In either case, a greater degree of transparency about refused transfers and the basis for ARIN’s determination would be welcome.
    While probably not meeting all of your requirements, we have been providing increased information about transfer requests, including metrics on those pending and denied, in our periodic reporting. This was presented as well as ARIN 31, in the Update on Resource Transfers presentation that I gave, which is available here: https://www.arin.net/participate/meetings/reports/ARIN_31/PDF/monday/curran-transfers.pdf

    FYI,
    /John

    John Curran
    President and CEO
    ARIN

  3. Mike Burns

    As previously mentioned, short term leases risk address reputation impairment. This is obviously a concern for any seller (or lessor).

    Long term leases risk Whois degradation. This is obviously a concern for anybody who cares about Whois accuracy.

    ARIN stewards take note. Your role, according to RFC2050, is primarily to maintain a unique registry of IP address block ownership. The community’s professed desire to determine which transfers will be processed and which will be denied is the root cause of this increasingly common source of Whois inaccuracy.

    The way to an accurate Whois is to book all legal transfers of address rights without regard to ARIN justification of need. As more of these transactions take place, network operators will become used to seeing the lease agreements and Letters of Agency that convey accurate information about address-rights ownership that is missing from Whois.

    Whois will be relegated to some old dusty register that is really only good for figuring who the initial rights-holder was. To know who the real rights holder is, a network operator will have to perform the simple task that ARIN refuses, that is to review the chain-of-custody documentation to determine legal address rights ownership prior to advertising the addresses.

    Of course that doesn’t help the rest of the Internet who relies on an accurate Whois to aid in abuse or network issues for an address block. Such is the cost of the arrogance of a very tiny but vocal minority of the North American population who participate in ARIN policy development.

    Hopefully RIPE will drop needs tests for transfers and ARIN will see the light.

    • Paul London

      Mike,

      In regards to your RFC2050 comments and: “Whois will be relegated to some old dusty register that is really only good for figuring who the initial rights-holder was. To know who the real rights holder is, a network operator will have to perform the simple task that ARIN refuses, that is to review the chain-of-custody documentation to determine legal address rights ownership prior to advertising the addresses.”

      ARIN’s latest tactic appears to be to wipe all Admin/Tech POCs from legacy ORGs and replace information with completely irrelevant information.

      Upon an ORG having their POCs removed. ARIN switches gears to the “Document Check” phase. Very few (none) of the original Legacy allocations included a corporate suffix (Corp, LLC, Inc, etc.). ARIN is seizing upon this as a “name change” and thus upon passing the “Document Check” ARIN will then say, “Thank you, we have agreed internally that the best route is to create a new ORG and transfer your IPs to this new ORG”.

      This transfer wipes out the legacy status. By not having Admin/Tech POCs an ORG cannot swip, rdns, etc. They are locked down by ARIN’s decision to wipe out the POCs and then switch it to a “Document Check” situation.

      Simply Google, “CKN23-ARIN” and behold how much legacy space is being grabbed with this method. This includes US Govt, EDUs, corporations, and individuals.

      As an example: http://whois.arin.net/rest/net/NET-198-76-86-0-1/pft (http://www.ndu.edu/)

      I am unclear how this adds value to the data in the whois database. Some would say, myself included, that ARIN is causing tremendous damage to their whois database by these tactics.

      Mr Curran – Can you provide totals are to how many Legacy holders have had their POCs wiped out by ARIN? How many have provided documents? Of those that provided documents, what percentage has ARIN attempted to force into a new ORG and transfer?

      • John Curran

        Paul –
        Note that the “No Contact Known” entry put in whois entries (legacy or ARIN-issued) is the result of a policy adopted by the ARIN community for annual contact verification: https://www.arin.net/policy/nrpm.html#three61

        A completely non-responsive contact is replaced in the database as noted, but this does not preclude the assigned party from coming in and updating the information, nor does it change the status of the resources from being legacy issued.

        FYI,
        /John

        John Curran
        President and CEO
        ARIN

        • Paul London

          Thanks for your response John. One of my associate’s experience differs vastly from the process you describe.

          3.6.1 states: “If ARIN staff deems a POC to be completely and permanently abandoned or otherwise illegitimate, the POC record shall be marked invalid.”

          It would be interesting to know the exact guidelines ARIN instructs its staff to follow when deeming an ORG “permanently abandoned or otherwise illegitimate”.

          I can provide ARIN ticket numbers and entire ticket dialogs of an ongoing situation with an ORG that was created in the 90s, that has had same principal for 20 years, the corp is valid (in good standing), a document dump was provided to ARIN, and ARIN has been trying to railroad him into an ORG change and a transfer of the assets. The new ORG has the same data as the old ORG, including the email address that ARIN claims was unresponsive. The domain used on the ORG, all assignments, all billing, all ARIN related items has been the same domain for close to 20 years. Where would you like this information? Posted here for a community review or via email?

          How can an ORG be deemed abandoned, CKN23-ARIN put into place, when the ORG has been paying yearly for an AS#? I am not aware of an instance where an abandoned company continues to have credit cards issued and continues to login to ARIN to pay yearly invoices.

          It could be that your front line people enjoy busting balls or it could be an organizational policy to wrestle space from Legacy Holders while pointing to: 3.6.1.

          Either way, there is a Duty of Care with the management of the Whois database. Wholesale replacement of data with known to be 100% incorrect data is slippery slope. Duty of Care responsibilities are not relieved because of a “community policy”. Nor is “community policy” justification for interfering with commerce. Without the ability to SWIP, provide rDNS, and prove ownership to upstream providers it becomes very difficult to attract new business let along keep the space routed.

          Not many options left within the ARIN realm. Consider this a call for assistance and the final attempt at trying to have this resolved within the realm of the “community” and not the judicial system.

          I will end this with the best quote of the day:

          After the transfer has been completed you will no longer have legacy status.

          Regards,

          Chad
          Resource Analyst

          • John Curran

            Paul –

            Please provide the ARIN ticket numbers; I am happy to investigate.

            /John

            John Curran
            President and CEO
            ARIN

  4. John Curran

    Mike –

    The reason that ARIN has a policy experience report is precisely so that the community hear about the consequences of various policies as they are implemented. If you believe that these policies should change in a particular manner, you should get more involved in the policy development process and encourage others of similar mind to do the same. One the consequences of self-governance for critical Internet resources is that it is the majority of those who actually participate which counts most heavily in these processes.

    Thanks!
    /John

    John Curran
    President and CEO
    ARIN

  5. Paul London

    John Curran:

    Round 1: ARIN-20120215-X4753
    Round 2: ARIN-20130502-X8946

    Feel free to contact the ORG admin directly at the email address listed on the ORG or on the paid ARIN invoices.

    • John Curran

      It’s been reviewed, and short version is that we (at ARIN) screwed up. In particular, we had already approved the organization name change in one request ticket, but did not realize that there were related concurrent tickets being worked by multiple analysts. If we had noticed that this had already been reviewed and identified as simply a name change when the subsequent tickets were submitted, then these requests would have gone much smoother.

      I am sorry for the difficulty it caused for the organization involved with these requests; they’ve been contacted to bring this to closure and there is no reason for them to bring the legacy resources under an RSA if they don’t desire to do so. We have already done one internal review regarding how to avoid this in the future; recognize that we tend to be very conservative with respect to updating organization records due to all of the creative ways that folks attempt to hijack resources.

      Also, just to clarify ARIN’s procedures regarding Point of Contact (POC) records in the database, ARIN doesn’t typically remove contact information from number resource records unless the authorized registrant instructs us to do so. Per NRPM 3.6.1, ARIN will mark a POC record as unverified if they do not validate their record within 60 days of receiving their annual Whois POC validation notification, but we will not remove a POC record from the database.

      Thanks for raising this matter to my attention; hopefully we can avoid having others go through similar challenges when updating their records as a result.

      /John

      John Curran
      President and CEO
      ARIN

  6. Eric Dittman

    I found this thread while searching for CKN23-ARIN. Paul, did they actually fix this for you and the others you mentioned? I’m trying to get this fixed myself without any success (having Admin and Tech POCs replaced with CKN23-ARIN).