How to Protect Your Pre-1997 IP Address
If your company obtained its IP address space before 1997, you have probably received several letters from the American Registry for Internet Numbers Ltd. (ARIN) encouraging you to enter into a contractual agreement to protect the IP address. But should you sign it?
ARIN's contract is called the Legacy Registration Services Agreement (Legacy RSA). It proposes to give companies contractual guarantees, including grandfathering of certain protected rights; continued use -- at no extra charge, at least for now -- of IP address services like "in-addr" and "whois" listings; reduced annual fees compared with those of ARIN's regular IP address holders; and future fee waivers, in exchange for returning unused IP address space.
But be careful -- there are several issues you should consider before signing up for this.
The information and advice in this piece are based on my experience advising legacy address holders in connection with their participation in the Legacy RSA program. I've been working with legacy holders since the beginning of the program in 2007, and my representation has included leading negotiations with ARIN on behalf of clients. As part of this effort, I've also had informal consultations with ARIN's lead counsel and its directory of registry services.
Since Dec. 22, 1997, ARIN has been the authorized administrator of IPv4 address allocations and services in North America. ARIN is one of five regional Internet address registries, all operating under the authority of ICANN. ARIN obtained this authorization through a delegation from InterNIC, which previously handled the assignment and administration of domain names and IP addresses. (InterNIC itself was organized in 1993 by the National Science Foundation and Network Solutions Inc., a private company awarded the government contract to provide IP address services.)
Before 1993, IP addresses were assigned through the Internet Assigned Numbers Authority (IANA).
Under the rules of InterNIC and IANA, Internet service providers and certain end users were allocated or assigned IP address blocks directly, subject only to industry-accepted best practices and Internet community standards. There were no contractual obligations between the registries and these legacy IP address holders.
By the time ARIN appeared on the scene, even as early as 1997, there was concern within the Internet community about possible IPv4 address space exhaustion. To protect against that, ARIN adopted policies designed to discourage IP address hoarding and to promote space reuse. Under ARIN's policy, for example, ISPs that obtain direct allocations of IPv4 addresses require each of their downstream customers to show that it has used at least 80% of its previously assigned IPv4 addresses before receiving any new ones.
Similarly, end users who want to receive additional assignments of IPv4 network space from ARIN must demonstrate that they are using at least 80% of their current addresses, will use at least 25% of the requested addresses immediately and will use 50% of the new addresses within one year of the request, based on reasonable and documented network growth projections.
Failure to comply with ARIN's resource conservation policies could result in the revocation of some of an organization's IPv4 addresses.
The legacy registration program
Registrants that obtained IP addresses directly from ARIN after 1997 entered into service agreements that fall under ARIN's jurisdiction, and are therefore subject to ARIN's resource utilization policies. But it is unclear whether IP address registrations of legacy IP address holders -- those that happened before 1997 -- were ever formally transferred to ARIN. ARIN has never claimed that it has control over these legacy IP addresses, but at the same time, it has never conceded that it lacks the authority either.
In an effort to harmonize the policies across all IP address allocations -- legacy and non-legacy -- and to cement ARIN's jurisdiction over the legacy address holders, ARIN launched its Legacy RSA program in late 2007. The deadline for signing up for this program is Dec. 31, 2011 -- recently extended by ARIN for an additional year. The costs are $100 per year through 2013, with potential increases after that, but by no more than $25 per year.
To participate, a legacy IP address holder must submit an application to ARIN. Participation in the program is voluntary and is limited to the original registrants and subsequent transferees that can prove -- with supporting documentation -- to ARIN that their legacy IP addresses were obtained lawfully from an original registrant.
Finding any documentation about original address registrations is difficult for many legacy registrants. If companies address the documentation issue with ARIN in advance, gaps in their registration records may not necessarily prevent them from participating in the Legacy RSA program. But ARIN does not state what "supporting documentation" means.
After ARIN approves the application, the legacy address holder and ARIN may then enter into the Legacy RSA.
Next page: What to do before signing anything
Should your company sign the Legacy RSA?
To entice legacy address holders to formalize their relationships with ARIN and accept its policies on a voluntary basis, ARIN offers address holders several benefits through contractual guarantees embodied in the Legacy RSA. Key contractual guarantees include grandfathering of certain protected rights; continued use -- at no extra charge, at least for now -- of IP address services like "in-addr" and "whois" listings; reduced annual fees when compared to ARIN's regular IP address holders; and future fee waivers in exchange for returning unused IP address space.
The argument for
Grandfathering protected rights is a core Legacy RSA benefit promoted by ARIN. The central protected rights are as follows:
* The terms and conditions of the Legacy RSA, including the vested/protected rights unique to legacy address holders, trump any conflicting current ARIN policies and any future policies adopted by ARIN.
* The Legacy RSA automatically renews in one-year increments unless (a) ARIN terminates it for cause, or (b) the applicant terminates it for convenience or for cause (i.e., due to ARIN's material breach). If the legacy applicant terminates for cause, the legacy applicant reverts to the status (and rights and benefits) it enjoyed prior to entering into the Legacy RSA.
* ARIN may not terminate a Legacy RSA for its convenience.
* ARIN agrees not to reduce the services it provides to the legacy IP addresses.
* ARIN promises that it will not revoke unused legacy IP address resources -- absent a breach of the Legacy RSA by the legacy applicant. However, under its existing policies, ARIN may refuse to issue new IPv4 address space to any legacy IP address holder that has not met ARIN's utilization requirements for its existing IPv4 network block.
* If a company signs up for the current Legacy RSA, it may switch to any subsequent Legacy RSA that may be more favorable, at the address holder's option.
The implication for any legacy IP address holder refusing to enter into the Legacy RSA by the Dec. 31, 2011, deadline is that ARIN may deny them the benefits of the guaranteed rights, and they will, as a result, be subject to future enforcement action by ARIN.
What might that future enforcement action be? ARIN could materially diminish the value or limit the use of legacy IP address services not protected by the Legacy RSA program. If, for example, ARIN removes or obfuscates a holdout's IP address registration records from the reverse DNS database (officially, the "in-addr.arpa domain records"), the host names associated with the legacy IPv4 addresses may not be discoverable through reverse DNS.
ARIN could also obscure information about holdouts from ARIN's routing registry. The routing registry allows ISPs to retrieve accurate and current routing policy information, which in turn helps them configure and manage their networks to effectively route their customers' Internet traffic. Further, holdouts that want to transfer their unused IPv4 addresses to third parties may have trouble convincing potential transferees to pay full value for "gray-market" addresses when addresses are also available in an ARIN-approved transfer market.
The specter of having their legacy IP address allocation revoked creates significant concerns for legacy IP address holders who might otherwise be inclined to reject the Legacy RSA because, among other negatives, applicants must waive any and all claims of ownership in their IP addresses. At the moment, this concern should not influence any organization's decision to accept or reject the Legacy RSA offer. ARIN has stated publicly that it currently has no plans to revoke the IP addresses assigned to legacy IP address holders that do not participate in the program.
However, ARIN has also acknowledged that its plans in this regard could change if it adopts new policies or legal requirements. So, in other words, ARIN is saying it won't revoke the IP addresses of legacy holders that don't sign up -- for now -- but that policy could change down the road.
And, in fact, revocation of IP addresses registered to entities that don't comply with ARIN's policies is an enforcement remedy laid out in ARIN's existing policy manual. However, ARIN is unlikely to go this far for legacy holders that don't sign up -- unless they are also engaging in some other prohibited activity, such as selling addresses on eBay.
Indeed, ARIN's authority to revoke legacy IP addresses, enforce its current policies against legacy IP address holders or change the services provided for legacy IP addresses is unclear and untested. It is likely that ARIN calculated that concerned legacy address holders would see the benefit of signing the Legacy RSA in exchange for eliminating the risk that ARIN might otherwise try to revoke their legacy IP addresses.
Even without enforcement action by ARIN, there are risks for companies that do not join the rest of the Internet community by voluntarily submitting their number resources to ARIN's stewardship. As attention to the IPv4 exhaustion problem continues to increase, legacy registrants -- particularly those with the largest networks -- will be scrutinized publicly about their utilization in the face of scarcity. Signing and complying with the Legacy RSA would allow them to deflect criticism by highlighting that they are accountable members of the Internet community acting in accordance with ARIN's policies.
The argument against
Entering into the Legacy RSA requires legacy IP address holders to give up current benefits associated with their pre-ARIN registrations. Under the agreement, legacy applicants must waive any and all claims of ownership in their IP addresses. The status of IP addresses as "property" has been the subject of considerable policy debate in the industry and remains an unresolved legal question. Still, waiving the legal right to assert ownership interests in their IP addresses could have significant economic consequences for legacy address holders if future judicial decisions hold that assigned IP addresses are, indeed, property.
ARIN's policy position is that IP addresses (like telephone numbers) are a shared public resource and that ARIN is a steward of those resources. In ARIN's view, IP address holders are conditionally assigned the use of IP addresses for as long as they need and use them, subject to continued compliance with the Internet community's policies that are adopted and enforced by ARIN and the other regional Internet registrars.
The Legacy RSA obligates legacy IP address holders to comply with ARIN's policies, which may change over time. Refusing to enter into the agreement may not shield legacy address holders from future attempts by ARIN to enforce its policies. Nevertheless, legacy address holders that do not sign the Legacy RSA preserve their ability to argue that ARIN lacks authority to alter or diminish property rights claimed in their IP addresses.
Another consideration is that legacy holders outside of the agreement are not required to pay fees to ARIN, and Legacy RSA agreement signers are.
Impact on transferability
The non-transferability of IP addresses has been a fundamental ARIN policy. In accordance with its standard transfer policy, IP addresses may not be assigned or transferred without ARIN's prior and express permission.
Some legacy registrants have -- without regard to ARIN's policies -- freely transferred their space to third parties, including their joint ventures, outsourcing vendors and corporate spin-offs. For years, there has also been considerable speculation in the Internet community about the existence of a "black market" of IPv4 space.
Legacy registrants that have not signed a Legacy RSA could, by relying on the legal theory that ARIN's transfer restriction policies do not apply to them, participate in this unsanctioned IPv4 market without the black market stigma. As a condition of the Legacy RSA, participating legacy registrants give up the flexibility to engage in these liberal IP address transfer practices.
The Legacy RSA provides participating legacy IP address holders with one exception to ARIN's general non-transferability policy: They may assign their legacy IP addresses along with the Legacy RSA to their successors (without ARIN's consent) by notifying ARIN of the transfer, provided that the successors obtain controlling interests in the previous legacy address holder.
In addition, although ARIN has historically prohibited the sale of IP addresses, it recently adopted a new transfer policy that, under certain circumstances, permits IP address registrants to transfer their unused address space to third parties in return for compensation. Legacy registrants may participate in this "white market" for IPv4 addresses only if they enter into either a Legacy RSA or a standard RSA covering the addresses to be transferred.
The current legacy agreement program is set to expire Dec. 31, 2011. At the moment, it is not clear what will happen to rogue legacy IP address holders after that. ARIN could enhance the legacy program benefits to encourage greater participation, extend the program as is (which it has done twice already) or attempt to enforce its standard policies aggressively against holdouts (for example, demanding that they return unused address space).
Only ARIN knows what's next, and it is holding its cards very close to the vest.
So, what should companies with legacy address space do?
* Review your company's information in ARIN's WHOIS database, and confirm that the point of contact (POC) information records are accurate. ARIN sends communications to registrants via the POC's information in the WHOIS database.
* Find out whether your organization received an offer from ARIN to sign the Legacy RSA and obtain a copy of the letter and offer (check the in-box of the e-mail address for the POC in the WHOIS database).
* Submit the Legacy RSA to your senior network operations and legal teams to assess whether the pros outweigh the cons for the organization, and decide whether to sign up, reject ARIN's offer or wait until the deadline to see what ARIN's next move will be.
* Start migrating to IPv6. It's a good idea for architectural reasons -- IPv4 is not natively compatible with IPv6, so without some translation or tunneling technology, at some point organizations that use only IPv4 for their Web presence and Internet access won't be able to reach, or be reached by, end users or organizations that use IPv6. Also, ARIN would not likely deny a legacy registrant IPv6 addresses if it doesn't sign the Legacy RSA. Under its policies it could, but creating roadblocks to IPv6 migration runs counter to ARIN's primary goal of getting everyone switched over.
For most companies, the accept/reject/stall decision won't be easy. It's key for organizations to evaluate their options fully under current market and policy conditions, and then plan a strategy that protects their interests in, and maximizes the utility of, their valuable -- and scarce -- IPv4 number resources.