The quiet North American test
ARIN is not the regional Internet registry most people associate with institutional drama. AFRINIC has supplied the more visible case: litigation, receivership, contested elections, member-register disputes and the question of what happens when registry authority becomes entangled with corporate survival. RIPE NCC sits inside sanctions, war, European legal fragmentation and the problem of neutrality under state pressure. APNIC serves a vast Asia-Pacific region whose economies, political systems and network markets do not share a single institutional culture. ARIN's problem is quieter. It is the North American, post-exhaustion test of whether a mature registry can remain a neutral ledger after the thing recorded in that ledger has become a scarce capital asset.
That quietness makes ARIN more important, not less. A crisis registry teaches by failure. A stable registry teaches by boundaries. ARIN serves the United States, Canada and a defined set of Caribbean and North Atlantic jurisdictions. Its region contains cloud platforms, access networks, hosting companies, universities, public bodies, security vendors, address-rich legacy holders, merger-and-acquisition activity, brokered IPv4 transfers and capital markets sophisticated enough to price address holdings as part of business value. If the regional Internet registry model can adapt to IPv4 exhaustion without turning into discretionary asset governance, ARIN is one of the places where that adaptation should be visible. If it cannot, ARIN will reveal the problem in a cleaner form than a registry already under acute institutional stress.
The conflict is simple to state and hard to solve. A ledger records uniqueness, recognised control, transfer history, contactability and security-relevant facts. A gatekeeper decides who may enter, who may exit, who may trade, who qualifies, which services attach to which contractual status and what business conduct counts as acceptable. A registry must always perform some gatekeeping. Without checks for authority, fraud, duplicate claims, forged documents and dispute status, the ledger would become unreliable. But once the scarce resource beneath the record has market value, every additional gate becomes an economic instrument. The more the registry uses stewardship, community, eligibility and policy language to justify that instrument, the more it must answer a different question: is it protecting the ledger, or is it controlling capital?
ARIN's own public materials are useful exhibits because they are administrative rather than polemical. Its IPv4 Waiting List page says ARIN's free pool depleted in September 2015 and presents the waiting list as one path among several, alongside transfers and reserved pools. Its transfer guide describes merger and reorganisation transfers, specified-recipient transfers within the ARIN region, inter-RIR transfers, officer acknowledgements, signed Registration Services Agreements and recipient qualification. Its Number Resource Policy Manual sets out conservation, aggregation, registration, transfer, out-of-region and resource-review rules. Its legacy-resource page preserves basic services for non-contracted legacy holders while reserving RPKI and IRR access for resources under an ARIN agreement. Its Policy Development Process defines an open process in which support may be shown by the active portion of the Internet community, not by every affected party. None of those facts, alone, condemns ARIN. Together they mark the institutional hinge.
The hinge is post-exhaustion legitimacy. Before exhaustion, a registry's strongest claim was administrative rationing of a finite pool. After exhaustion, its strongest claim is reliable recordkeeping for resources already embedded in networks, transactions, contracts and balance sheets. If allocation-era logic continues to govern asset-era reality, a neutral bookkeeper gradually acquires the profile of a gatekeeper. The point is not that ARIN is a rogue institution. It is that the North American rule set shows how ledger protection and market control can become entangled even in a comparatively stable registry.
That makes the ARIN case analytically valuable. The official narrative of any registry should be treated as an exhibit, not as the frame that settles the argument. A registry saying it acts as steward tells us something about institutional self-understanding. It does not answer whether a transfer rule suppresses liquidity, whether a contract boundary creates leverage, whether a resource-review power is proportionate, or whether a mailing-list process adequately represents the economic interests exposed to its rules. ARIN should therefore be judged not by whether it uses the accepted language of the RIR system, but by whether its actual boundaries keep registry authority narrow enough to sustain market confidence.
What a ledger supplies
The operational value of a registry is narrow but indispensable. IP addresses and ASNs must remain globally unique. The public record must show who is recognised for which resource. Contacts must be usable for troubleshooting, abuse handling, diligence and accountability. Reverse DNS delegations must point where they are meant to point. Routing-security services must be coherent enough that route-origin assertions do not become another source of confusion. Transfers and changes of control must be recorded with enough evidence that the ledger does not lie. These are not ceremonial functions. They are part of the institutional substrate of a network operated by independent actors that nevertheless depends on unique identifiers.
The ledger does not create the economic value of an address. Operators create that value. They deploy address blocks into customer networks, hosting platforms, payment systems, firewalls, mail infrastructure, access networks, security appliances, cloud environments, industrial systems and internal applications. They bear the cost of renumbering if continuity fails. They answer customers when mail reputation breaks, geolocation is wrong, reverse DNS disappears, routing filters object, RPKI authorisations need changing or an acquisition depends on clean registry recognition. The registry record is powerful because these dependencies treat it as a reference point, but the productive system sits below the registry.
This is why the phrase "ledger versus gatekeeper" matters. A ledger answer is narrow: who is the recognised registrant, what is the current record, what evidence supports control, what is the transfer path, what is the dispute state, what services are attached and what security assertions exist? A gatekeeper answer is broader: is the recipient worthy, is the business plan acceptable, should the resource move, does the policy community approve this use, should services be withheld unless the holder enters a contract, should a legacy block be drawn into contemporary terms, should a market transaction wait for a needs assessment?
The first category preserves uniqueness and truth in the record. The second allocates economic opportunity. Some of the second category may be unavoidable. Fraud, forged authority, sanctions exposure, court orders, nonexistent source organisations and duplicate claims are not clerical inconveniences. They are threats to the ledger. But the burden of proof changes after exhaustion. A gatekeeping rule should not be treated as legitimate merely because it appears in a registry manual or has passed through the accepted vocabulary of community policy. It should be justified either as a necessary protection of the ledger or as a proportionate market-control rule whose economic costs are visible.
For ARIN, that distinction is not theoretical. A transfer can fail or slow because documentation does not prove authority. That is ledger protection. It can also fail or slow because the recipient cannot satisfy a need-based requirement for a privately negotiated purchase. That is closer to market control. A legacy holder can update Whois and RDAP without signing an agreement. That preserves the record. The same holder cannot use ARIN-hosted RPKI or IRR services unless the resources are under an agreement. That may be a defensible service boundary, but it also creates contract leverage as routing-security expectations become operationally important. A resource review can detect fraud. It can also become a source of uncertainty for address holdings acquired, financed or deployed at real cost.
The proper question is therefore not whether ARIN should have discretion. It must. The proper question is where the discretion sits. The closer it sits to uniqueness, authority verification, fraud prevention, dispute handling and accurate publication, the stronger ARIN's case. The closer it moves to business-model judgement, forward demand forecasting, market timing, capital immobility and contract migration, the more it resembles gatekeeping. A registry that accepts this distinction does not become weaker. It becomes more legitimate because the market can understand what its power is for.
Exhaustion turned administration into asset governance
IPv4 exhaustion did not merely create a shortage. It changed the economic meaning of the registry. Before exhaustion, the registry could plausibly speak mainly in the language of conservation and fair allocation. Applicants asked for a scarce but still administratively issued resource. The registry reviewed need, issued blocks, maintained records and tried to prevent waste. In that world, a needs test looked like a rationing device for a finite common pool.
After exhaustion, the same test looks different. ARIN's free pool depleted in September 2015. Addresses still move, but increasingly through transfers, acquisitions, reorganisations, leasing structures, corporate inventory management and market diligence rather than ordinary free-pool issuance. A block is no longer just an entry in a low-value administrative database. It is capacity, customer continuity, acquisition value, migration optionality, financing context and, for some holders, a strategic reserve. A delay in recognition can affect closing conditions. Contract status can alter diligence. A routing-security service boundary can affect operational readiness. A legacy-history question can change price. A resource review can become balance-sheet risk.
Institutional economics has a term for the danger: hold-up. One party invests in a specific asset or relationship that is hard to move. Another party controls a bottleneck after the investment is sunk. If the bottleneck holder's discretion is broad and its liability is narrow, the investor must price the possibility of opportunism, delay or reinterpretation. No bad faith is required. The structure alone produces a risk premium.
ARIN does not guarantee routing. Its policy materials recognise that routability depends on network operators. That is an appropriate limit. But the registry still affects the asset environment because market participants want the record to be clean, recognised and serviceable. The value of a block partly depends on whether the registry will recognise a transfer, allow necessary services, accept documentation, avoid surprise review, preserve legacy boundaries and keep processes predictable. This is why a registry can influence capital allocation without setting a price. Recognition is enough.
The post-exhaustion contract is therefore different from the allocation-era contract. The allocation-era question was, "Who should receive space from the remaining pool?" The post-exhaustion question is, "What minimum registry action is necessary to keep already-deployed and privately transacted space unique, transferable, auditable and operationally safe?" If the registry continues to answer the first question when the market is asking the second, it will mistake rationing for stewardship and gatekeeping for continuity.
This transformation is not unique to ARIN. It is a general problem for the RIR system. But ARIN is a clean case because it is not usually defended by claims of emergency. Its region has functioning courts, sophisticated counterparties, active brokers, large operators and address histories that reach back before ARIN's creation. A policy that is defensible in such a region must be defensible as a rule, not merely as crisis management. If the North American registry cannot keep market controls narrow, the problem is structural.
The economic fact that addresses have asset-like characteristics does not require any particular legal theory of property. Legal systems may characterise number resources differently, and ARIN has reasons to avoid language that implies ownership in the ordinary real-property sense. But markets do not wait for metaphysical agreement. If something is scarce, durable, transferable under rules, useful in production and priced by counterparties, it will be treated as an asset by operators, buyers, sellers, brokers, auditors and investors. The registry can influence that asset without declaring it to be property. It only needs to condition the recognised record.
That is why post-exhaustion legitimacy cannot be inherited from the allocation era. Conservation remains relevant where the resource is still being allocated from residual pools or where fraud threatens the record. It is less persuasive as a general answer to market transfers between willing parties. A registry that wants broad post-exhaustion authority must explain not only what principle it serves, but who pays for it.
The administered transfer market
ARIN's transfer system is neither a free market nor a command allocation system. It is an administered market. Private parties may negotiate commercial terms, but the registry must recognise the result. ARIN's transfer guide says transfers are governed by ARIN policies and identifies three main routes: transfers due to mergers, acquisitions and reorganisations under NRPM 8.2; specified-recipient transfers within the ARIN region under 8.3; and inter-RIR transfers under 8.4. It also states that transfer requests must meet ARIN policy to receive approval.
The distinctions matter. A merger or acquisition transfer is tied to the movement of assets, customers, equipment, networks or the organisation itself. ARIN says it will process such requests even if the combined organisation would exceed what could be justified under current needs policy, though excess resources may need to be transferred or voluntarily returned. The resources in an 8.2 transfer are not subject to a needs-based assessment during that transfer process. That rule reflects economic reality: corporate control can move infrastructure faster than an allocation-era needs test can describe it.
Specified-recipient transfers are more controlled. The source must be the current registered holder, must not be involved in a dispute over the resources, must provide a signed and notarised officer acknowledgement, must meet minimum transfer-size rules and must not have received a transfer or allocation of IPv4 resources from ARIN within the prior 12 months, subject to ownership-control exceptions. Reserved-pool resources are excluded. The source also faces a 36-month wait-list consequence after transferring IPv4 to another party. The recipient must satisfy transfer-recipient requirements and, if applicable, leaves the waiting list and cannot reapply for 90 days.
Inter-RIR transfers extend the same problem across registry boundaries. ARIN says 8.4 transfers can occur only between RIRs with reciprocal, compatible, needs-based policies. Its transfer page currently lists APNIC, LACNIC and RIPE NCC as approved for transfers with ARIN, and AFRINIC as not approved. Inter-RIR transfers involving ARIN may not include IPv6. ARIN may require additional documentation, including certification from the receiving RIR, and may refuse a transfer that does not meet community-developed policies such as reciprocal needs-based justification.
Recipient requirements under NRPM 8.5 retain allocation-era logic inside the transfer market. The minimum IPv4 transfer size is /24. An organisation without an IPv4 allocation qualifies for an initial /24. To qualify for a larger initial or additional block, an organisation can provide documentation showing that 50 percent of the requested space will be used within 24 months and that 50 percent of previous allocations is efficiently used. Under an alternative path, an organisation with allocations can demonstrate 80 percent efficient utilisation of current holdings and qualify for a transfer equal to current IPv4 holdings, up to a /16, once every six months. Recipients within the ARIN region receiving inter-RIR transfers must demonstrate need for up to a 24-month supply.
This is careful policy architecture. It is also a case study in gatekeeping. Verification of source authority protects the ledger. Notarised officer acknowledgement protects the ledger. Dispute status protects the ledger. Minimum block size may protect administrative and routing practicality. But needs-based recipient qualification in a private transfer is a different thing. It asks the registry to judge the buyer's future operational requirement even though the block is not being allocated from the free pool. It keeps price and willingness to bear risk from doing all the work markets normally do.
Defenders can make a reasonable case. Without needs review, speculative accumulation, shell transactions or hoarding could increase. A registry should not be indifferent to sham demand. Yet the post-exhaustion burden should be heavier than in the allocation era. The question is not whether speculation sounds unattractive. It is whether a particular restriction prevents a concrete harm at lower cost than the liquidity it suppresses. If the rule delays legitimate forward capacity planning, raises diligence costs, discourages sellers, narrows buyer pools or pushes demand into opaque leasing and nominee structures, it may protect the appearance of conservation while reducing the efficiency of the address economy.
An administered market can still work if the administrator is predictable. The problem is that predictability requires more than published rules. It requires aggregate data on processing times, documentation rounds, denials, abandoned transfers, inter-RIR bottlenecks and the reasons requests fail. ARIN publishes categories and procedures; the next step is to make friction visible. A market can price a known delay. It struggles with discretionary uncertainty.
The market also reads the boundary between 8.2 and 8.3 as a signal. If a buyer can move resources more easily by acquiring a company than by buying a block, transaction structures will adjust. Address-heavy companies may be valued not only for customers or infrastructure but for registry-recognised history. Subsidiaries may be preserved for address reasons. Deal lawyers will ask whether a transaction should be framed as asset purchase, merger, reorganisation or specified transfer. These are not abuses of the system. They are normal responses to administrative incentives.
The same is true for inter-RIR transfers. A global operator may care less about the physical location of customers than about where address records can move cleanly. If one RIR border creates policy incompatibility while another allows transfer, capital will flow through the easier path where possible. Registry borders therefore become economic borders even though routing itself is global. That is the capital-control problem in geographic form.
The waiting list and residual rationing
The IPv4 waiting list is the clearest example of rationing after abundance. ARIN says available space, typically from revocations due to non-payment, is used to fill approved requests on a first-approved basis, subject to the size of blocks that become available. Organisations holding more than a /20 equivalent of IPv4 space in aggregate are not eligible, excluding special-use space under specified reserved pools. The maximum aggregate an organisation may qualify for at one time is a /22. An organisation may have only one waiting-list request at a time. If it declines an available block, ARIN treats the request as fulfilled and removes it from the list. The organisation must be current on fees. Space distributed from the waiting list cannot be transferred to another organisation for 60 months except through 8.2 transfers. As observed on ARIN's public waiting-list page on 1 July 2026, the last distribution had been completed on 2 April 2026 and the next was expected on or about 1 July 2026.
These rules make sense as anti-gaming devices. A waiting list for residual returned space cannot become an arbitrage machine. If a recipient could obtain returned space and immediately resell it, the queue would subsidise the first organisation in line. If large incumbents could consume the residual pool, smaller networks would lose a politically important path to basic capacity. If multiple parallel requests were allowed, administration would be easier to game. The lock-up and /22 maximum therefore have a public logic.
But the waiting list also illustrates why scarcity changes every category into an economic boundary. A /22 is material to a small operator and irrelevant to the strategic needs of a cloud platform, large hosting firm or national access network. The /20 eligibility threshold creates a line between organisations that remain inside residual rationing and organisations forced into the market. The 60-month lock-up protects the rationing system but limits future flexibility. The 90-day consequences for receiving transfers or waiting-list space affect planning. A policy written as fairness becomes a set of incentives around timing, structure, transaction sequencing and account status.
The waiting list can also create a comforting myth: that administrative distribution still solves IPv4 scarcity. It does not. It supplies a limited safety valve for some organisations. It does not replace the transfer market, leasing, acquisitions, address sharing, carrier-grade NAT, IPv6 deployment or other operational strategies. Treating the waiting list as evidence that the registry remains a distributor of public abundance would be a category error. It is a residual rationing queue in a market world.
The gatekeeper risk emerges when residual rationing logic bleeds into transfer logic. For waiting-list space, restrictions may be proportionate because the space is released from a small common residual pool. For space already held and traded between private parties, the same anti-arbitrage instinct becomes more questionable. If the registry does not distinguish sharply between these cases, it will use the morality of rationing to justify controls over capital movement. That is the capital-control problem in miniature.
The waiting list also changes the politics of small operators. It gives them a reason to see ARIN not only as a ledger but as an allocator of last-resort opportunity. That can strengthen the registry's legitimacy among entrants. It can also encourage a constituency for continued rationing vocabulary. A small network that benefits from the waiting list may reasonably support controls that reserve residual space for similar firms. A larger network may see the same controls as symbolic scarcity management while it must buy in the market. Both views are rational from their positions. The registry's task is to keep the two logics separate rather than allowing one to swallow the other.
The post-exhaustion registry should be candid about this distinction. It can defend the waiting list as a small-equity mechanism without pretending that it is the centre of the IPv4 economy. It can defend lock-ups for subsidised residual space without importing lock-up logic into ordinary market transfers. It can protect small applicants without denying that market liquidity is now the main mechanism by which most additional capacity moves. Such candour would reduce suspicion because it would show that the registry recognises the economic world it governs.
Legacy, RSA and LRSA as constitutional facts
Legacy resources are ARIN's most revealing constitutional layer. ARIN was created after many early Internet number resources had already been issued by predecessor institutions. Its legacy-resource page explains that organisations with legacy resources have access to several ARIN services even if they are not under an ARIN agreement. Such holders can maintain unique registration in Whois and RDAP, update and manage public data, manage reverse DNS delegations, maintain registry records through ARIN Online and use DNSSEC for reverse zones. They cannot access ARIN's RPKI or IRR services unless their resources are under an ARIN agreement.
This distinction is a clean example of ledger versus gatekeeper. Basic record continuity is treated as a registry obligation for legacy resources. More advanced routing-security services are treated as agreement-based services. ARIN is not pretending that non-contracted legacy holders do not exist. Nor is it giving them every service without contract. It is separating the minimum ledger from a set of services that ARIN regards as requiring an agreement.
The separation is defensible, but it is not economically neutral. RPKI and IRR are no longer decorative services for many operators. RPKI improves route-origin assurance. IRR data remains used in filtering and routing operations across many networks. If operational norms make these services practically necessary, a non-contracted legacy holder faces pressure to enter an agreement. The pressure may be reasonable. ARIN needs terms for services that create legal and operational obligations. But the pressure should be named for what it is: a contract boundary around security-adjacent services that can affect asset usability.
The Legacy Registration Services Agreement adds another layer. ARIN's legacy page says the legacy fee cap expired on 31 December 2023, while organisations with an active LRSA entered before 1 January 2024 continue to have fees limited for legacy resources covered before that date. No additional legacy resources may be added after 1 January 2024. For legacy resources covered under an ARIN agreement after that date, annual Registration Service Plan fees apply. This is a technical billing statement. It is also an economic transition. Old special treatment is narrowing. New agreement status changes the cost structure.
The broader RSA matters because agreement status is not just paperwork. ARIN's agreements page says ARIN must receive a signed Registration Services Agreement before approving creation of an Org ID in ARIN Online, and that both existing and newly approved customers must sign the current version for each resource request. The transfer guide requires a signed RSA within a defined period after approval. The legacy page ties RPKI and IRR access to agreement status. Contract status therefore sits near transferability, service access and record management.
In a low-value administrative system, that might be routine. In an asset market, it becomes a key due-diligence question. Is the resource covered by an RSA, an LRSA, a newer agreement or no agreement? Are fees capped, phased or fully subject to current schedules? Are advanced services available? If an agreement changes, what happens to the holder's options? If a holder terminates after a service-terms change, what happens to pre-ARIN resources versus ARIN-issued resources? These questions are not legal trivia. They affect valuation.
Legacy resources also expose the difference between historical certainty and contemporary institutional ambition. Many early holders received resources before the present registry governance model existed. ARIN's recordkeeping role over those resources is necessary; its claim to impose later terms must be more carefully bounded. Section 12 of the NRPM states that resource review does not create additional authority for ARIN to revoke legacy address space, although legacy utilisation may be considered in assessing overall compliance. That limitation is important. It shows that ARIN's own rule set recognises a historical boundary.
The legitimacy test is whether that boundary remains meaningful as services modernise. If non-contracted legacy holders can maintain the basic ledger, the record remains neutral. If essential operational services migrate behind contract status, the line shifts. The registry can say that RPKI and IRR require legal terms, and that may be true. But it should also accept that the market will view the service boundary as a form of leverage. The answer is not to abolish agreements. It is to make the cost, benefit and consequence of agreement status plain enough that holders can choose without mythology.
Resource review and the power to unsettle
ARIN's resource-review provisions deserve close attention because they show how quickly ledger protection can become gatekeeping. Section 12 of the NRPM permits ARIN to review current usage of any resources maintained in the ARIN database. Reviews may occur when new resources are requested, when ARIN believes resources were obtained fraudulently or contrary to policy, when ARIN believes an organisation is not complying with reassignment or reallocation rules, and at any other time without having to establish cause unless a full review has been completed in the preceding 24 months. At the end of a review, ARIN communicates what further action is required. Organisations materially out of compliance may be asked or required to return resources. For ARIN-issued resources, ARIN may revoke as needed if voluntary return does not occur. Except in cases of fraud or policy violations, organisations receive at least six months to effect a return, with possible longer terms where good faith and valid need justify it.
That is a powerful instrument. It may be necessary to protect the registry from fraud, inaccurate utilisation claims and serious policy violation. A ledger that cannot correct false records is not a ledger. But a review power that can be triggered without cause is exactly the kind of tool that must be surrounded by restraint, metrics and review. In an allocation regime, review verifies that resources drawn from a common pool were justified. In a post-exhaustion market, review can affect assets acquired at market prices or embedded in operating businesses.
The economic harm from review uncertainty is not limited to revocation. A review can delay a transfer, complicate an acquisition, increase legal costs, chill a buyer, disrupt financing or force management attention away from operations. Even if no resources are returned, uncertainty can change price. In asset markets, process is substance. A right that can be challenged unpredictably is worth less than a right subject only to narrow, evidence-based review.
This does not mean ARIN should give up review. It means review should be classified by function. Fraud review protects the ledger. Authority review protects the ledger. Duplicate-claim review protects the ledger. Review of reassignment accuracy may protect contactability and registration quality. Open-ended utilisation review, especially where no new free-pool allocation is being sought, sits closer to allocation-era gatekeeping. The more a review affects resources already acquired or deployed, the more ARIN should be expected to show proportionality.
The remedy gap is central. If a review is wrong or disproportionate, a later correction may not repair lost commercial opportunity. A seller may miss a market window. A buyer may walk away. A lender may withdraw. A customer migration may fail. A public-procurement deadline may pass. Public registries can reasonably argue that they cannot insure every commercial use of every address. But if liability is thin while discretion is broad, the institution should compensate with narrow authority, transparent metrics, predictable timelines and credible escalation.
Aggregate review transparency would help. ARIN need not publish confidential holder details to show how often reviews occur, what triggers them, how long they take, how many conclude with no action, how many require correction, how many involve suspected fraud, how many lead to return or revocation, and how many are associated with transfer requests. Such data would let the market distinguish a strong anti-fraud function from a broad uncertainty tax. It would also discipline ARIN internally by making the cost of review visible.
The deeper point is that a registry's most dangerous power is not always the power it uses. It is the power the market knows it could use. If holders believe review is rare, targeted and evidence-driven, they price less risk. If they believe review can arrive unpredictably or become a negotiating lever, they price more. ARIN's legitimacy therefore depends not only on the text of Section 12, but on the institutional culture surrounding it.
Member power and the limits of community consent
ARIN has a member-governance structure, and it matters. Its membership page describes Service Members, General Members and Trustee Members. Entities with a valid RSA for Internet number resources are eligible for ARIN membership. Membership is not required to obtain direct resources, participate in policy discussions, submit suggestions or take part in public consultations. Voting power, however, belongs to General Members in good standing through designated voting contacts. General Members that do not cast a ballot in any of the previous three ARIN elections revert to Service Member status, though a blank ballot still counts as participation.
This is better than a purely nominal roll. It creates a mild discipline against inactive voting status. Each fall, General Members in good standing elect candidates to the Board of Trustees and Advisory Council. For two out of every three years they also elect an ARIN representative to the NRO Number Council, while in every third year the Board appoints the representative from a community-developed pool. These details matter because elections shape the people who oversee the corporation, shepherd policy and help determine how much discretion the registry should retain.
Still, member governance should not be romanticised. The affected public is larger than the voting class. A downstream business can depend on a network whose address strategy depends on ARIN rules without being an ARIN member. A cloud customer, hosting customer, enterprise buyer or public-sector user may experience the effects of registry policy through price, continuity or migration cost without appearing in the governance structure. Even among resource holders, the ability to follow policy lists, understand transfer rules and engage in elections varies sharply by size, staff capacity and economic exposure.
That is not a scandal. It is the ordinary political economy of specialised institutions. The word "community" should therefore be treated carefully. ARIN has a community, but the existence of a community process does not mean every institutional choice has the consent of all affected parties. It means there is a structured channel through which active participants can influence policy and governance. That is valuable. It is not a sovereign mandate.
Member power is best understood as a check on ARIN, not as a sacrament that validates ARIN. A member election can discipline board behaviour. A public consultation can expose costs. A policy-list debate can refine rules. A petition can challenge a process failure. But none of these mechanisms eliminates the need to ask whether the registry's authority is proportionate to the harm it prevents. In a post-exhaustion market, legitimacy comes from restraint as well as participation.
The key question for members is whether they see themselves as guardians of the registry corporation or guardians of registry-risk reduction. Those are different roles. A corporation-preservation view asks whether ARIN has adequate authority, revenue and organisational stability. A risk-reduction view asks whether holders and operators face less uncertainty because ARIN exists. The second test is harsher, but it is the one the market ultimately applies.
Member discipline should be measured by outcomes. Are elections meaningfully contested? Do members challenge fee and contract drift when it matters? Does the Board explain how policy and service decisions affect small holders, legacy holders and transfer-market participants? Do consultations generate changes, or merely record support for decisions favoured by insiders? Does the voting class include enough operational and economic diversity to discipline registry assumptions? These questions are less ceremonial than asking whether membership exists. They reveal whether member power actually bites.
Low participation is not only a governance problem; it is an economic signal. If address holders do not invest time in registry elections, it may mean they trust the institution. It may also mean the cost of participation is high relative to any individual's chance of changing outcomes. In either case, ARIN should be cautious about treating silence as consent. Silence in a specialised governance process often means exit is costly, voice is expensive and most affected parties have other fires to fight.
Policy mailing-list economics
ARIN's policy process is open in important ways. The PDP says policy changes must be developed through open and transparent processes with meaningful opportunity for public participation. It says policies must be considered in open and publicly accessible forums, that the Public Policy Mailing List is archived and public, and that proceedings and minutes are published. The process defines roles for the Internet community, proposal authors, the Advisory Council, policy shepherds, ARIN staff and the Board of Trustees. It includes ordinary policy development, last call, board adoption, petitions, policy suspension and emergency action.
The existence of public voice is a strength. It makes quiet capture harder. It gives dissenters a record. It lets outsiders, brokers, operators, civil-society participants, commercial users and lawyers observe how policy ideas evolve. In a world where private associations exercise quasi-public functions, archived argument is an institutional asset.
The cost of voice remains high. Policy lists reward those who can afford to read long threads, understand procedural history, write in the language of registry governance and attend recurring meetings. A small operator facing customer churn or address shortage may not have the staff time to turn operational pain into policy text. A buyer trying to close a confidential transfer may have little incentive to argue publicly about rules that affect a live transaction. A legacy holder may prefer to avoid attention. A large organisation may engage through lawyers, consultants or experienced policy staff. The result can be formally open and still economically skewed.
This is not a flaw unique to ARIN. It is a general feature of specialised self-governance. The people most able to participate are not always the people most affected per dollar of exposure. The cost of participation is fixed in time and expertise, while the benefit is uncertain and shared. That creates a classic collective-action problem. Large holders and policy specialists can amortise the cost. Small networks and occasional transfer participants cannot. The mailing list may therefore underrepresent exactly the marginal operator for whom a transfer delay, waiting-list lock-up or service boundary matters most.
The PDP also separates policy from implementation processes, services and fees. A proposal must address policies and guidelines followed by ARIN in managing Internet number resources, and may not define staff implementation processes, services or fees. Those topics go through other suggestion or consultation channels. The separation is administratively rational. It also means some of the most economically important issues for asset holders sit outside the main policy path. Transfer-delay metrics, service eligibility, fee schedules, RPKI access, IRR access, contract language, staff processing, review timelines and publication quality can shape the market as much as NRPM text. If they are not debated with the same visibility, the public policy process can look more complete than it is.
The legitimacy of the policy process therefore depends on evidence discipline. If a transfer rule affects liquidity, the discussion should include data on delays, denials, abandoned tickets, documentation rounds, fraud incidence, inter-RIR friction, processing times, reasons for non-completion and market impact. If a waiting-list rule affects small entrants, the discussion should include information about who receives space, how long requests wait, how often recipients later need more space and whether lock-ups have unintended effects. If a resource-review rule affects market certainty, the discussion should include aggregate review outcomes. Without such data, the process can become a ritual of openness rather than a machine for accountability.
The solution is not to abolish mailing-list policy. It is to lower the cost of meaningful dissent. ARIN could publish more friction data, commission economic-impact notes for liquidity-affecting proposals, summarise operational consequences in plain language, separate ledger-protection rules from market-shaping rules, and require any rule that restricts transferability to state the concrete harm it prevents. A community process becomes more legitimate when it asks less of the absent and supplies more evidence to the present.
The petition mechanism illustrates the same balance. A member of the Internet community can challenge certain Advisory Council actions, but petition support depends on defined participation and member-organisation thresholds. Such thresholds prevent frivolous disruption and force organised concern. They also show that the process is not a simple measure of all affected preferences. It is a filtered deliberative system. Filtered deliberation can be legitimate, but only if it remains humble about what it proves.
Capital-control risk without conspiracy
"Capital control" sounds accusatory. It need not be. A registry can create capital-control effects without intending to become a financial regulator. If an institution can determine whether a scarce, tradeable, productive resource may move, how long movement takes, what documentation is required, which counterparties qualify, whether service access follows and whether a past allocation can be reviewed, it influences capital allocation. It does not need to set prices. It only needs to condition recognition.
ARIN's system contains several such conditions. Waiting-list space is locked for 60 months except for merger and reorganisation transfers. Source organisations in specified transfers face recent-receipt restrictions and waiting-list consequences. Recipients must satisfy operational-use and needs-based requirements. Inter-RIR transfers require compatible needs-based policy. Receiving entities must sign an RSA unless a current one is already on file. Resources from reserved pools are not eligible for transfer. Resource review can occur without cause at intervals permitted by policy. Legacy holders get basic record services without agreement but need agreement for RPKI and IRR.
Each rule has a plausible justification. Together they form a control layer, and the market adapts around it. Buyers prefer clean documentation. Some firms lease rather than wait for transfer recognition. Others acquire companies for address holdings, preserve subsidiaries to protect history, avoid uncertain cross-RIR deals or discount encumbered resources. These are not side effects; they are the economic expression of the rule system.
The risk is highest when conservation rhetoric is used after the free pool has ceased to be the relevant source of supply. A willing buyer and willing seller do not prove that a transfer is socially optimal, but they do provide strong evidence that the resource may be moving toward higher-valued use. The registry can still verify authority, uniqueness, fraud risk and dispute status. It should be more cautious about substituting its own forecast of need for the buyer's willingness to pay and bear operational risk.
Capital-control risk also appears through regional logic. ARIN is more open than a closed outbound-embargo regime because it has inter-RIR transfer paths with several other RIRs. But the need for reciprocal, compatible needs-based policies means mobility depends not only on the parties but on inter-registry policy compatibility. AFRINIC's not-approved status for ARIN-compatible transfers is a reminder that registry borders can trap capital even when the resource is technically global. The address does not route with a passport, but the registry record moves through institutional borders.
The proper standard is not "no controls." It is "ledger controls first, market controls justified." A market-shaping rule should have a stated harm, measurable incidence, expected cost, review period and narrower alternatives. Otherwise capital-control effects accumulate under the softer vocabulary of stewardship.
This standard would also help ARIN defend itself. If a rule prevents a documented fraud pattern, say so. If a lock-up protects residual waiting-list space from immediate arbitrage, say so. If needs review prevents a measurable problem in transfers, publish enough aggregate evidence to support the claim. If the harm is speculative or inherited from allocation-era assumptions, reconsider the rule. Mature institutions gain trust by showing their work.
Mandate laundering and the vocabulary of stewardship
The most delicate problem is language. "Stewardship" is a good word when it means care for a narrow shared function. It is a dangerous word when it converts a private coordination role into broad authority over assets. "Community" is useful when it means an open field of participants. It is dangerous when it sounds like a legal principal that has authorised a particular exercise of power. "Region" is necessary for service delivery. It is dangerous when a service region begins to sound like a political territory. "Consensus" is valuable when it records informed agreement among active participants. It is dangerous when treated as consent by absent affected parties.
This is mandate laundering. A narrow mandate enters a process of regional rhetoric, procedural ritual, policy vocabulary and institutional habit. A broader mandate comes out. No one needs to announce a power grab. The vocabulary does the work. The registry is not merely maintaining a record; it is stewarding the community's resources. A policy list is not merely a discussion forum; it becomes the voice of the region. A board is not merely governing a private registry corporation; it becomes the guardian of the Internet's future. A needs test is not merely a market restriction; it becomes fairness. A transfer delay is not merely cost; it becomes due process.
ARIN is relatively disciplined in its public documentation. Its pages are often more administrative than grandiose. But the wider RIR vocabulary still surrounds it, and ARIN's PDP itself uses stewardship, Internet community support and regional management language. The risk is not a single phrase. The risk is that the vocabulary lets the institution avoid the economic question. Who bears the cost?
If a transfer restriction prevents fraud, the cost may be justified. If it prevents ordinary market reallocation because the registry prefers historical allocation logic, the cost falls on buyers, sellers and customers. If a waiting-list lock-up prevents arbitrage, the cost may be proportionate. If similar lock-up instincts spread into ordinary transactions, the cost becomes capital immobility. If service bundling pays for useful infrastructure, the cost may be acceptable. If it coerces legacy holders into broader terms because operational norms make RPKI essential, the cost becomes contract leverage. If resource review catches fraud, the cost is governance. If review without cause chills legitimate transactions, the cost is uncertainty.
The cure is to translate stewardship language into operational and economic tests. Does the rule protect uniqueness? Does it protect record accuracy? Does it prevent duplicate claims? Does it preserve routing-adjacent security? Does it correct fraud? Does it isolate disputes without disrupting running networks? If yes, the rule sits near the ledger. If no, it should be treated as market governance and justified accordingly.
This translation is not hostile to ARIN. It is a discipline that would let ARIN's strongest case survive. The institution does not need inflated language to justify maintaining unique records, publishing registration data, protecting transfer integrity and supporting routing-security services. Those functions are important enough. The danger comes when legitimate administrative functions are used to smuggle in authority over business decisions, capital movement or historical entitlements without saying so.
Mandate laundering is especially tempting in stable institutions because the words become normal. Nobody feels they are laundering anything. They are simply using the inherited vocabulary of the field. But inherited vocabulary becomes dangerous when the underlying economics change. The words that once justified allocation from a scarce public pool may not justify control over private transfers in a depleted market. ARIN's legitimacy depends on noticing the difference.
Registry-layer risk is now business risk
For an operator, registry-layer risk is the risk that the record, services, transfer path or contract relationship becomes uncertain enough to affect the business. It includes contract risk, policy risk, service risk, review risk, dispute risk, remedy risk and reputational risk. It is not the same as packet loss. It is the institutional risk around identifiers that packets, customers, security systems and contracts expect to remain stable.
The operational dependencies are mundane. Reverse DNS matters for mail and reputation. RPKI matters for route-origin assurance. IRR objects matter for filtering and routing operations in many networks. RDAP and Whois matter for contactability, abuse handling and diligence. Transfer records matter for acquisitions and sales. Organisation and Point of Contact records matter for authority. A block's registry history matters to brokers, buyers and lawyers. None of these services alone creates the network, but uncertainty around any of them can produce cost.
A company buying an address-heavy business is not only buying customers, contracts or equipment. It is buying a history that the registry must be willing to recognise. A lender financing a transaction wants to know whether address holdings can move if the borrower restructures. A hosting firm leasing or buying capacity wants to know who carries registry-facing risk. A public-sector customer wants continuity without becoming an expert in NRPM sections. The registry layer therefore enters commercial risk assessment even when no one describes it that way.
ARIN is in a better position than a crisis registry because its processes are documented and its public services appear routine. That is not a reason to stop watching. Stable institutions can accumulate quiet discretion because their legitimacy is assumed. A resource holder may not feel the risk until an acquisition, transfer, audit, service change, fee change or legacy migration forces the question. By then, options are narrower.
The more important IPv4 becomes as an asset, the less acceptable it is to treat registry risk as an obscure administrative detail. Boards buying address-heavy companies should diligence registry status. Lenders should understand whether addresses are transferable and under what conditions. Operators leasing addresses should know who carries registry-facing risk. Legacy holders should understand service boundaries before signing new terms. Members should treat Board and Advisory Council elections as control over an economic infrastructure layer, not as volunteer ceremony.
This is not an argument for panic. It is an argument for treating the registry as part of the business environment. A registry that is narrow, predictable and transparent lowers the cost of capital around address holdings. A registry that is broad, discretionary and mythologised raises it. ARIN's opportunity is to be the first kind of institution in a market that increasingly needs exactly that.
What a narrow ARIN would look like
ARIN's best defense against the gatekeeper critique is not to insist that all its powers are expressions of community stewardship. It is to narrow and evidence them. The registry should be strongest where the ledger is strongest: uniqueness, accuracy, fraud prevention, verified authority, transfer recording, publication continuity, routing-security coherence, legacy clarity and transparent dispute status. It should be weakest where the gatekeeper temptation is strongest: business-model judgment, capital immobility, needs assessment detached from residual-pool allocation, service leverage, open-ended review and regional rhetoric inflated into public mandate.
That defense would fit ARIN's actual strengths. Its service region is defined. Its election structure exists. Its policy process is public. Its transfer categories are documented. Its legacy-service table is unusually clear. Its statistics page acknowledges transfer activity as a continuing fact. Its RSA and agreements pages make contract status visible. Its resource-review section preserves an explicit legacy limitation. These are not trivial assets. They are the ingredients of a constrained registry.
The challenge is to make constraint measurable. ARIN could publish aggregate recognition times, documentation cycles, denial and abandonment categories, inter-RIR bottlenecks, waiting-list time-to-fill, resource-review triggers and outcomes, legacy-migration patterns and economic-impact summaries where transferability, service access or fees are materially affected. It could state, for each liquidity-affecting rule, whether the rule protects the ledger, protects residual-pool fairness, prevents a documented fraud pattern or intentionally shapes the market. The answer would not always be comfortable. That is why it would be useful.
ARIN should also distinguish more sharply between free-pool allocation and market transfer. Needs-based review may remain defensible for distribution from a residual pool. It is less obviously justified when space is bought from another holder. If ARIN believes needs review remains essential for transfers, it should defend that position with evidence about concrete harms prevented, not merely with conservation vocabulary inherited from the allocation era.
Resource-review authority should be tightened in practice even if the text remains broad. Reviews without cause should be rare, explained in aggregate and surrounded by timelines and recourse. Fraud review should be forceful. Routine uncertainty review should not become a standing tax on asset confidence. Legacy space should remain protected from new revocation authority not only in text but in institutional habit.
Advanced services should be unbundled as much as security permits. If RPKI and IRR access require agreement, ARIN should state the operational reason and contractual consequence plainly, and it should revisit the boundary if those services become practically necessary for ordinary operations. A service that begins as optional can become functionally compulsory as network norms evolve. A legitimate registry notices when that transition happens.
Member elections should be treated as economic governance. Board and Advisory Council seats influence transfer policy, fee logic, contracts, resource review and service priorities. Members should not treat elections as a civic ritual detached from commercial consequence. ARIN should not treat member participation as an afterthought once formal legitimacy is secured. A voting structure with low engagement cannot discipline institutional drift merely by existing.
Finally, ARIN should avoid the temptation to defend the entire RIR model when a narrower defense would do. The North American market does not need a grand theology of registry stewardship. It needs a reliable record that reduces uncertainty. If ARIN can prove that it lowers registry-layer risk for operators, holders, buyers, sellers and customers, its legitimacy will be stronger than any official narrative could make it.
What to watch
The ARIN ledger-versus-gatekeeper question will be decided by accumulation, not by one scandal. The first watchpoint is transfer friction. If 8.3 and 8.4 transfers become faster, more predictable and more data-rich, ARIN will look more like a ledger for a mature market. If transfers require increasing documentation, unclear staff interpretation or policy uncertainty, gatekeeping risk will rise.
The second watchpoint is needs assessment. Any tightening or expansion of recipient qualification should be examined as a capital-control event. Any narrowing, safe harbor or data-backed simplification would signal recognition that market transfers differ from free-pool allocations.
The third watchpoint is legacy service pressure. RPKI, IRR and future routing-security expectations can turn optional service boundaries into practical compulsion. Modular agreement-based services strengthen trust; perceived contract leverage weakens it.
The fourth watchpoint is resource review. Section 12 is powerful. The market should care less about whether the power exists in text and more about how it is used. Aggregate review transparency would lower risk. Opaque or frequent review without cause would raise it.
The fifth watchpoint is policy participation. The PDP's active-subset model is workable for technical policy, but asset governance demands better evidence. Watch whether ARIN policy discussions around transferability, fees, services and review include economic impact or remain mostly procedural. A registry that cannot hear market evidence will govern a market badly.
The sixth watchpoint is member power. General Members elect the Board and Advisory Council, but a voting structure with low engagement cannot discipline institutional drift. ARIN's non-voting reversion rule is a useful nudge, not proof that the electorate reflects the affected economic base.
The seventh watchpoint is inter-RIR mobility. ARIN-compatible transfers with APNIC, RIPE NCC and LACNIC show that cross-registry movement is possible. AFRINIC's exclusion from the approved list shows that registry borders remain economically meaningful. As global IPv4 markets mature, any incompatibility becomes a capital wedge.
The eighth watchpoint is vocabulary. When ARIN speaks as a recordkeeper, it is on strong ground. When any registry speaks as though community or region authorises broad market control, the market should ask what mandate has been laundered through the words. The safest registry is the one that can explain its authority without mythology.
Credibility lies in the ledger
ARIN matters because it is a plausible registry. It is not useful to treat it as a caricature. The North American registry has documented processes, visible governance, public policy machinery and a transfer system that acknowledges market reality more than some alternatives. That is why it is a serious test. A weak institution can be dismissed as a local failure. A functioning institution reveals the structural tension of the model itself.
The post-exhaustion registry cannot rely on the legitimacy theory of the allocation era. Scarcity changed the object. Transfers changed the process. Legacy resources changed the legal history. RPKI and IRR changed the service dependency. IPv4 leasing and secondary-market pricing changed operator expectations. Capital markets changed the cost of uncertainty. A registry that continues to speak mainly in conservation and community vocabulary will look increasingly like a gatekeeper even when it believes it is stewarding the public interest.
The better path is institutional modesty. ARIN should be strongest where the ledger is strongest: uniqueness, accuracy, fraud prevention, verified authority, transfer recording, publication continuity, routing-security coherence, legacy clarity and transparent dispute status. It should be weakest where the gatekeeper temptation is strongest: business-model judgment, capital immobility, needs assessment detached from free-pool allocation, service leverage, open-ended review and regional rhetoric inflated into public mandate.
The Internet does not need an Olympian bookkeeper. It needs a reliable record that knows it is a record. It needs registries whose power is narrow enough that their legitimacy does not depend on ritual language. It needs transfer rules that protect against fraud without suppressing liquidity. It needs legacy certainty that survives service modernisation. It needs policy processes that treat active participants as valuable evidence, not as the entire affected world. It needs continuity of the function, not mythology around the gate.
ARIN's opportunity is to prove that a registry can administer a mature IPv4 market without pretending to govern the asset economy from above. If it does so, its legitimacy will not come from the word stewardship. It will come from a lower risk premium around the resources it records. Buyers, sellers, operators, legacy holders, members and customers will know what the institution is for. It will maintain the ledger. It will verify what must be verified. It will publish what must be published. It will avoid deciding what markets, courts and operators are better placed to decide.
That is the institutional economics of ledger versus gatekeeper. A ledger creates trust by being accurate, narrow and boring. A gatekeeper creates dependence by making itself unavoidable. ARIN's future legitimacy depends on choosing the former with enough discipline that the latter never becomes the default.

