Should your company sign the Legacy RSA?
To entice legacy address holders to formalize their relationships with ARIN and accept its policies on a voluntary basis, ARIN offers address holders several benefits through contractual guarantees embodied in the Legacy RSA. Key contractual guarantees include grandfathering of certain protected rights; continued use -- at no extra charge, at least for now -- of IP address services like "in-addr" and "whois" listings; reduced annual fees when compared to ARIN's regular IP address holders; and future fee waivers in exchange for returning unused IP address space.
The argument for
Grandfathering protected rights is a core Legacy RSA benefit promoted by ARIN. The central protected rights are as follows:
* The terms and conditions of the Legacy RSA, including the vested/protected rights unique to legacy address holders, trump any conflicting current ARIN policies and any future policies adopted by ARIN.
* The Legacy RSA automatically renews in one-year increments unless (a) ARIN terminates it for cause, or (b) the applicant terminates it for convenience or for cause (i.e., due to ARIN's material breach). If the legacy applicant terminates for cause, the legacy applicant reverts to the status (and rights and benefits) it enjoyed prior to entering into the Legacy RSA.
* ARIN may not terminate a Legacy RSA for its convenience.
* ARIN agrees not to reduce the services it provides to the legacy IP addresses.
* ARIN promises that it will not revoke unused legacy IP address resources -- absent a breach of the Legacy RSA by the legacy applicant. However, under its existing policies, ARIN may refuse to issue new IPv4 address space to any legacy IP address holder that has not met ARIN's utilization requirements for its existing IPv4 network block.
* If a company signs up for the current Legacy RSA, it may switch to any subsequent Legacy RSA that may be more favorable, at the address holder's option.
The implication for any legacy IP address holder refusing to enter into the Legacy RSA by the Dec. 31, 2011, deadline is that ARIN may deny them the benefits of the guaranteed rights, and they will, as a result, be subject to future enforcement action by ARIN.
What might that future enforcement action be? ARIN could materially diminish the value or limit the use of legacy IP address services not protected by the Legacy RSA program. If, for example, ARIN removes or obfuscates a holdout's IP address registration records from the reverse DNS database (officially, the "in-addr.arpa domain records"), the host names associated with the legacy IPv4 addresses may not be discoverable through reverse DNS.
ARIN could also obscure information about holdouts from ARIN's routing registry. The routing registry allows ISPs to retrieve accurate and current routing policy information, which in turn helps them configure and manage their networks to effectively route their customers' Internet traffic. Further, holdouts that want to transfer their unused IPv4 addresses to third parties may have trouble convincing potential transferees to pay full value for "gray-market" addresses when addresses are also available in an ARIN-approved transfer market.
The specter of having their legacy IP address allocation revoked creates significant concerns for legacy IP address holders who might otherwise be inclined to reject the Legacy RSA because, among other negatives, applicants must waive any and all claims of ownership in their IP addresses. At the moment, this concern should not influence any organization's decision to accept or reject the Legacy RSA offer. ARIN has stated publicly that it currently has no plans to revoke the IP addresses assigned to legacy IP address holders that do not participate in the program.
However, ARIN has also acknowledged that its plans in this regard could change if it adopts new policies or legal requirements. So, in other words, ARIN is saying it won't revoke the IP addresses of legacy holders that don't sign up -- for now -- but that policy could change down the road.
And, in fact, revocation of IP addresses registered to entities that don't comply with ARIN's policies is an enforcement remedy laid out in ARIN's existing policy manual. However, ARIN is unlikely to go this far for legacy holders that don't sign up -- unless they are also engaging in some other prohibited activity, such as selling addresses on eBay.
Indeed, ARIN's authority to revoke legacy IP addresses, enforce its current policies against legacy IP address holders or change the services provided for legacy IP addresses is unclear and untested. It is likely that ARIN calculated that concerned legacy address holders would see the benefit of signing the Legacy RSA in exchange for eliminating the risk that ARIN might otherwise try to revoke their legacy IP addresses.
Even without enforcement action by ARIN, there are risks for companies that do not join the rest of the Internet community by voluntarily submitting their number resources to ARIN's stewardship. As attention to the IPv4 exhaustion problem continues to increase, legacy registrants -- particularly those with the largest networks -- will be scrutinized publicly about their utilization in the face of scarcity. Signing and complying with the Legacy RSA would allow them to deflect criticism by highlighting that they are accountable members of the Internet community acting in accordance with ARIN's policies.
The argument against
Entering into the Legacy RSA requires legacy IP address holders to give up current benefits associated with their pre-ARIN registrations. Under the agreement, legacy applicants must waive any and all claims of ownership in their IP addresses. The status of IP addresses as "property" has been the subject of considerable policy debate in the industry and remains an unresolved legal question. Still, waiving the legal right to assert ownership interests in their IP addresses could have significant economic consequences for legacy address holders if future judicial decisions hold that assigned IP addresses are, indeed, property.
ARIN's policy position is that IP addresses (like telephone numbers) are a shared public resource and that ARIN is a steward of those resources. In ARIN's view, IP address holders are conditionally assigned the use of IP addresses for as long as they need and use them, subject to continued compliance with the Internet community's policies that are adopted and enforced by ARIN and the other regional Internet registrars.
The Legacy RSA obligates legacy IP address holders to comply with ARIN's policies, which may change over time. Refusing to enter into the agreement may not shield legacy address holders from future attempts by ARIN to enforce its policies. Nevertheless, legacy address holders that do not sign the Legacy RSA preserve their ability to argue that ARIN lacks authority to alter or diminish property rights claimed in their IP addresses.
Another consideration is that legacy holders outside of the agreement are not required to pay fees to ARIN, and Legacy RSA agreement signers are.
Impact on transferability
The non-transferability of IP addresses has been a fundamental ARIN policy. In accordance with its standard transfer policy, IP addresses may not be assigned or transferred without ARIN's prior and express permission.
Some legacy registrants have -- without regard to ARIN's policies -- freely transferred their space to third parties, including their joint ventures, outsourcing vendors and corporate spin-offs. For years, there has also been considerable speculation in the Internet community about the existence of a "black market" of IPv4 space.
Legacy registrants that have not signed a Legacy RSA could, by relying on the legal theory that ARIN's transfer restriction policies do not apply to them, participate in this unsanctioned IPv4 market without the black market stigma. As a condition of the Legacy RSA, participating legacy registrants give up the flexibility to engage in these liberal IP address transfer practices.
The Legacy RSA provides participating legacy IP address holders with one exception to ARIN's general non-transferability policy: They may assign their legacy IP addresses along with the Legacy RSA to their successors (without ARIN's consent) by notifying ARIN of the transfer, provided that the successors obtain controlling interests in the previous legacy address holder.
In addition, although ARIN has historically prohibited the sale of IP addresses, it recently adopted a new transfer policy that, under certain circumstances, permits IP address registrants to transfer their unused address space to third parties in return for compensation. Legacy registrants may participate in this "white market" for IPv4 addresses only if they enter into either a Legacy RSA or a standard RSA covering the addresses to be transferred.
The current legacy agreement program is set to expire Dec. 31, 2011. At the moment, it is not clear what will happen to rogue legacy IP address holders after that. ARIN could enhance the legacy program benefits to encourage greater participation, extend the program as is (which it has done twice already) or attempt to enforce its standard policies aggressively against holdouts (for example, demanding that they return unused address space).
Only ARIN knows what's next, and it is holding its cards very close to the vest.
So, what should companies with legacy address space do?
* Review your company's information in ARIN's WHOIS database, and confirm that the point of contact (POC) information records are accurate. ARIN sends communications to registrants via the POC's information in the WHOIS database.
* Find out whether your organization received an offer from ARIN to sign the Legacy RSA and obtain a copy of the letter and offer (check the in-box of the e-mail address for the POC in the WHOIS database).
* Submit the Legacy RSA to your senior network operations and legal teams to assess whether the pros outweigh the cons for the organization, and decide whether to sign up, reject ARIN's offer or wait until the deadline to see what ARIN's next move will be.
* Start migrating to IPv6. It's a good idea for architectural reasons -- IPv4 is not natively compatible with IPv6, so without some translation or tunneling technology, at some point organizations that use only IPv4 for their Web presence and Internet access won't be able to reach, or be reached by, end users or organizations that use IPv6. Also, ARIN would not likely deny a legacy registrant IPv6 addresses if it doesn't sign the Legacy RSA. Under its policies it could, but creating roadblocks to IPv6 migration runs counter to ARIN's primary goal of getting everyone switched over.
For most companies, the accept/reject/stall decision won't be easy. It's key for organizations to evaluate their options fully under current market and policy conditions, and then plan a strategy that protects their interests in, and maximizes the utility of, their valuable -- and scarce -- IPv4 number resources.
This story, "How to Protect Your Pre-1997 IP Address" was originally published by Computerworld.