With IPv4 addresses becoming scarcer, there has been talk that a trading market will develop. The idea is that those holding addresses they do not really need will sell them for a profit. More alarming is that there have been a few articles about how the Regional Internet Registries (RIR) are contemplating creating such a market so that they can regulate it, conceding that it will happen anyway and taking the "if you can't be 'em, join 'em" attitude.
This is all a bit disturbing. Maybe I'm naïve, but it's a little unclear to me how an unsanctioned trading market could really operate without the RIRs at least being aware if not being able to take steps to prevent it. After a decade of adhering to strict RIR polices, it would be infuriating to see the RIRs tolerate this abuse.
For those of you who haven't gone through it, the address allocation process can be quite arduous as you are subjected to significant scrutiny from the RIRs. This is all for good reason of course, to conserve address space and to make sure addresses are distributed fairly and not to parties with ill intent.
Note: For those of you versed in the RIR address allocation processes, you can skip the admittedly wordy next section. But for those who are not familiar, it would be helpful to understand the structure that exists when thinking about the plausibility of a trading market.
Background on the IP Address Allocation Process
When you want to acquire addresses for the first time, you have to submit the requisite address request forms describing in detail the reason you need public addresses and why you can't have your upstream ISP assign them to you. You have to provide a network addressing plan and, if you are a service provider, a plan for how you will assign addresses to your projected customer base. You also have to supply network diagrams and sometimes even copies of hardware invoices to prove that you are indeed undertaking the service build out and are not exaggerating its size or, worse yet, are not just an address squatter. You have to provide billing information and submit payment for the addresses, and you have to provide technical and administrative contact information.
It doesn't stop there.
If you are running a service where you need to make address assignments to customers (who because of IPv4 address depletion cannot acquire their own public addresses), you are initially restricted to what is called the Assignment Window (AW). The AW is essentially how much address space an ISP, acting as a Local Internet Registry (LIR), can assign without RIR oversight. It is measure of the trust the RIR places in the LIR's hands to proxy for the RIR and administer addresses in accordance with RIR policies. The AW usually starts at zero until you prove yourself. That means you have to fill out the address request form and submit it to the RIR every time you want to make an assignment to your customer, sometimes incurring delays in deploying your customer's service (and collecting payment, another important matter.) After proving that you are doing a diligent job, you may get your AW increased to a /24. That means you can assign blocks in subnet increments up to a 256 addresses without RIR oversight. If the customer request exceeds 256 addresses (your AW), you must submit the form to the RIR and absorb the processing delay.
Furthermore, each time you make an assignment it must be "SWIP'd" (pronounced "swipped"). This means you must insert an INETNUM object or similar record into the RIR database to record the assignment. The record denotes to whom the assignment was made and provides contact information. Even if you change the contact information to that of your customer receiving the assignment, the parent allocation (the aggregate) still contains your contact information. Anyone who has had to answer angry calls from someone being spammed or attacked from address space that you assigned to a customer is painfully aware of this.
It still doesn't stop there.
To acquire additional allocations, you have to prove you have used 80% of your existing space. The method that the RIRs use to measure your usage is usually a report run against their database to see if the total of all your INETNUM objects equals 80% or more of your allocation(s). They may also ask for additional paperwork or proof that you need more addresses.
The process I've described is largely that of RIPE and APNIC rather than ARIN, whose process is a bit different but no less thorough. (I haven't worked directly with the relatively new AfriNIC and LACNIC to know their processes.) The RIRs do an excellent job overall, but the process can still be time consuming for what in the grand scheme of things should be a relatively trivial part of putting together a service offering. Again, it is for good reason.
What Happens in a Trading Market?
So, are we saying that if a trading market opens up, all of this is over? All of the policies and processes that we've lived by for more than a decade go out the window?
If a trading market starts, suddenly the only discretion governing who can receive an allocation is who is willing to bid the highest. There will be no scrutiny over the reasons why the buyer wants the addresses. No proof they are building a network or deploying a service or applying the addresses to their own corporate network. They may not even be in the IP business. They may just be speculators looking to acquire addresses, sit on them and then flip them for profit like a house. Worse yet, the addresses could be sold to someone who is going to use them fraudulently, perhaps a spammer that has been blacklisted but now has new addresses to work with.
Is there really nothing the RIRs can do about this? If a trading market can open up and addresses transferred between parties so easily, why were any of us so honest and diligent about following RIR policies all these years?
It is also unclear to me how the address transfer actually takes place without it being obvious to the RIRs. The address seller, who is presumably an ISP/LIR or at least some sort of corporate entity, has billing and contact information registered with the RIR. That would need to be changed to the new owner. Do the seller and buyer fake a merger / acquisition like when two ISPs merge, then transfer the addresses? Wouldn't the RIRs realize this and be able to take action? Looking at the ARIN proposal, I think such a scheme would be difficult to pull off. Or does the seller continue to proxy for the buyer as the billing and technical contact to hide the transfer? That would be a strange thing for someone who is just interested in dumping the addresses and collecting the check.
Perhaps the talk of a trading market is just speculation by those that haven't gone through the rigors of the address allocation and management process to see the impracticality of it. I'm sure there will be small pockets of trading, but can it be so widespread that you see IP address blocks listed on eBay and sold with no RIR oversight whatsoever?
Again, the RIRs have done a fantastic job over the years to keep things under control. I'd hate to see all that work and diligence undermined (especially when I spent so much time adhering to it.) I have always been under the impression that the RIRs have significant authority. I'd hate to find out that was all bark and no bite.
Can someone from an RIR please comment on these questions? It is not clear to me how the RIRs would not be able to crack down on a trading market by revoking the addresses or forcing the upstream ISP (by a similar address revocation threat) to filter the route advertisement. Please provide some insight into what the RIRs are thinking and how they intend to approach the situation if it occurs.
By Dan Campbell, President, Millennia Systems, Inc.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection