ARIN is usually described as a North American technical registry: a Virginia nonprofit corporation, a regional Internet registry, an operator of Whois and RDAP services, a keeper of IPv4, IPv6 and ASN records, and a forum for number-resource policy. That description is accurate, but it is too thin for the scarcity era. A registry does not become economically important only because it allocates new numbers. It becomes important when its historical records become the public reference layer for scarce assets already embedded in networks, contracts, customer dependencies, security controls and balance sheets.
The pressure point is legacy number resources. These are IPv4 addresses and ASNs whose original allocation predates ARIN's modern contractual order. ARIN's own legacy resources page records the essential history: early address space was allocated liberally, often without formal legal agreement; when ARIN was formed in December 1997 it took on administration of earlier IPv4 and ASN records that were not already administered by RIPE NCC or APNIC; and its board decided to provide registration services for those legacy resources without requiring original holders to sign a Registration Services Agreement or pay service fees. That history is not a sentimental footnote. It is the root of a continuing institutional problem. Some of the oldest records now sit on some of the most valuable scarcity assets in the Internet economy.
The central claim here is deliberately narrow. ARIN is a useful test case for why historical allocation records and legacy-resource title still matter for asset confidence, disputes, transfers, registry legitimacy and the line between ledger stewardship and gatekeeping. "Title" does not mean a settled legal conclusion that IPv4 addresses are ordinary property, or that any particular legacy holder owns an address block in the same way that it owns a building. The stronger economic meaning is more practical: can the market, counterparties, courts, lenders, buyers, sellers, network operators and the registry identify the recognized holder, trace the chain of changes, distinguish current authority from stale contact data, and predict how a contested update or transfer will be treated?
That kind of title is not an abstraction. It affects the discount applied to a block, the diligence cost of a purchase, the willingness of a buyer to close, the ability of a seller to prove authority, the risk borne by a lessee or downstream customer, and the credibility of ARIN's record when another institution asks who should be treated as the current registrant. In a world where IPv4 scarcity has turned registry entries into balance-sheet-sensitive assets, confidence in the record is not a clerical luxury. It is part of the asset.
ARIN's official pages are useful exhibits, but they are not a sufficient theory of institutional legitimacy. They show what the registry says it does, what services it provides, what conditions it attaches, and how its policies describe transfers. They should not be treated as the final account of why registry power is justified. Heng Lu's public notes on registry risk, including the argument to protect the ledger, not the gatekeeper, frame the harder question: number uniqueness, accurate records, publication services and continuity of running networks are real needs; the incumbent registry's full bundle of institutional claims is a different matter. His note on mandate laundering gives a name to the conversion of a limited administrative function into something that starts to look like public authority. The same lens should be applied carefully to ARIN. Its documents contain both evidence of necessary registry work and evidence of the fault lines where useful stewardship can become discretionary gatekeeping.
Title without property theology
The debate over IPv4 title is often derailed by an overlarge question: are IP addresses property? That question matters in litigation and contract drafting, but it is not the only question that matters in markets. A market can require title confidence even when the legal category is contested, limited or deliberately framed as something other than ordinary ownership. Airlines use slots, telecom firms use spectrum licences, traders use clearing records, financial institutions rely on book-entry systems, and many valuable positions depend on recognition by a central recordkeeper. The economic question is not always whether the thing is owned absolutely. It is whether a recognized interest can be identified, relied upon, transferred, secured, defended and updated without arbitrary uncertainty.
That is the right way to think about ARIN legacy resources. ARIN's Number Resource Policy Manual, Section 8, states that number resources are not "sold" under ARIN administration and are assigned for exclusive use under stated purposes and policies. The sentence is important. It rejects a simple commodity story. But it does not abolish the market's need for title confidence. A registry can deny that it sells addresses while still controlling the record update that makes an outside transaction operationally meaningful. A block can be described as a registration right, an exclusive use position, a transfer-eligible record, an operating input or a scarce network identifier. In every description, counterparties still ask the same questions: who can cause the record to change, what evidence is required, what conditions attach, and how predictable is the registry's response?
For legacy resources, title confidence has three layers. The first is historical: how did the record originate, and how did it move through the early Internet's administrative systems? The second is organizational: does the current named holder still exist, has it changed name, merged, sold assets, dissolved, delegated operations or lost its original contacts? The third is institutional: what does ARIN require before it will recognize authority, approve a transfer, maintain services, or bring the resource under a modern agreement?
These layers are not interchangeable. A public Whois record may identify an organization, but that display line may not prove that a specific officer can authorize a sale. A signed corporate document may prove succession, but the registry may still require agreement terms, points of contact, policy eligibility or evidence that the resource is not in dispute. A block may route perfectly, yet remain illiquid because the corporate chain is unclear. Conversely, a block may be poorly used but have clean registry authority. Economic value sits in the combination.
The result is an uncomfortable middle category. Legacy title does not require pretending that ARIN is a land registry for private parcels of Internet space. It also does not permit pretending that the registry is merely a phone book. A record that can support a transfer, a court filing, a routing-security assertion, a reverse-DNS change or a live network migration is part of the resource's economic substance. The registry may not create the value, but it can make that value more or less liquid.
The old ledger became capital
IPv4 scarcity changed the meaning of old records. Before scarcity, an address block was mainly an operational input. It allowed hosts to be reached, routers to announce prefixes, customers to be served and networks to be numbered. The allocation record mattered because two unrelated networks could not use the same public number space without operational conflict. The registry was a coordination device.
After scarcity, the same record became a capital reference. The address block still routes packets, but it also carries replacement cost, opportunity cost, transactional value and sometimes financing significance. ARIN's IPv4 addressing options page records the turning point: ARIN's free pool of IPv4 address space was depleted on 24 September 2015. Ordinary requests for new IPv4 cannot be filled except through narrow reserved-policy cases. Requests may enter a waiting list, which depends on space becoming available through returns, revocations, IANA distribution or other reissuance. Otherwise organizations seek IPv4 through specified-recipient transfers under NRPM 8.3 or inter-RIR transfers under NRPM 8.4.
Scarcity did not make ARIN a marketplace in the ordinary sense. Buyers, sellers, brokers and lawyers negotiate price, risk allocation and closing conditions outside the registry. But scarcity did make ARIN's record and approval function central to market confidence. A buyer may locate a seller. A broker may introduce the parties. A law firm may draft asset-purchase terms. A network engineer may plan route migration. Yet the transaction does not acquire registry finality until the record is updated under the applicable policy and agreement structure. If ARIN cannot determine that the current registrant is the source, if the source entity no longer exists, if corporate succession is unclear, if the point of contact lacks authority, or if a dispute exists over status, the market transaction meets the registry's evidentiary boundary.
That boundary is not incidental. In a thin commodity market, title confidence might be almost entirely private. In IPv4, confidence is partly institutional because the public record is a shared reference point for routing, abuse contact, reverse DNS, transfers, security services and legal correspondence. A stale record may still be visible. A visible record may not prove current authority. A current authority may require non-public documentation. A block may be routable while its transfer status is uncertain. The market therefore prices not only the numerical size of the block but the friction in converting registry recognition into clean control.
Legacy allocations are the hardest version of the problem. They come from a period when allocation, use, registration and contract were less formal. Many old holders have changed names, merged, dissolved, outsourced networks, spun off units, sold business lines or left records unattended. That does not make every legacy record defective. It means old records require a more serious concept of chain of custody. When a large block descends from a pre-ARIN entry, the economically relevant question is not simply "what does Whois say today?" It is "how much confidence should a rational counterparty place in this record as evidence of authority to update, transfer, secure or monetize the resource?"
ARIN's legacy materials show the duality. Organizations with legacy resources not under an ARIN agreement can still maintain unique registration in Whois/RDAP, update and manage public data, manage reverse DNS, maintain registry records in ARIN Online and access DNSSEC. But ARIN says such organizations must be under an ARIN agreement to access RPKI and IRR services. The record exists before the modern contract; some services continue without it; other services require crossing into the contractual perimeter. That perimeter is where title economics begins.
Legacy resources are not just old allocations
The phrase "legacy resources" can sound like a historical courtesy. It is more than that. In economic terms, a legacy resource is a present scarcity asset whose origin sits outside the normal post-ARIN contract framework. Its origin belongs to the early administrative Internet; its liquidity belongs to the modern IPv4 market. That dual identity makes it institutionally awkward.
ARIN's present system is built around authenticated accounts, points of contact, service agreements, transfer documentation, policy eligibility and records maintained through ARIN Online. Legacy records may have entered the database before that system existed. If all such records were treated as ordinary contract resources, historical reliance would be erased. If all such records were treated as immune from present registry discipline, ARIN could not maintain accuracy, prevent hijacking or support secure transfer. ARIN's practical answer has been a boundary system: a legacy holder can receive certain core record services without signing an agreement, but signing an LRSA or RSA changes the service relationship and access to certain capabilities.
That boundary is not merely administrative. It defines economic options. A legacy holder outside an agreement may value contractual independence, especially if it sees the original allocation as carrying a stronger claim than a modern service right. It may also face limits: no ARIN RPKI or IRR access unless the resource is covered by an agreement, and transfer completion may require a recipient RSA or other agreement-related steps. A holder inside an agreement may gain service certainty and routing-security capabilities, but it also accepts a contractual and policy framework that can affect future use, fees, transfer steps and compliance duties.
Two address blocks of the same size can therefore carry different risk. One may have clean corporate continuity, validated contacts, a current agreement, active RPKI planning and no dispute. Another may have a stale organization name, an unvalidated point of contact, unclear successor documents and no agreement. Both may be routed. Both may appear in public data. Both may be economically valuable. But they are not economically identical. The second block carries title friction. That friction appears as legal fees, longer closing time, price discount, escrow complexity, buyer hesitation, insurance exclusions, lender caution or failed approval.
The mistake is to reduce legacy status to a nostalgic privilege or an embarrassing exception. It is neither. It is a hard institutional test. A registry that inherited old records must keep the ledger reliable without retroactively converting every inherited position into a discretionary favour. A holder that relies on old records must prove authority without assuming that historical origin alone defeats all modern security and transfer requirements. The market needs both sides to be disciplined.
This is why legacy title is so important to transfer-market confidence. The market does not need a theological answer to the property question before it can function. It needs a predictable institutional pathway from historical record to current authority, from current authority to authorized update, and from authorized update to final registry recognition. When that pathway is clear, scarce resources become more liquid. When it is opaque, old allocations become trapped capital.
The RSA and LRSA boundary is an economic fault line
ARIN's agreement structure is the formal expression of the legacy boundary. The current Agreements page says legal contracts define and bind the relationship between ARIN and its customers, and that ARIN must receive a signed Registration Services Agreement before approving creation of an organization ID in ARIN Online. The public RSA PDF, Version 14.0 dated 15 August 2025, defines Included Number Resources to include registration rights for IP address space and ASNs, including legacy number resources issued to a holder or predecessor before ARIN's inception and specifically identified by the holder as subject to the agreement. Subject to compliance and fees, it grants the holder the exclusive right to be the registrant of included resources within the ARIN database, the right to use them within that database, and the right to transfer their registration pursuant to policy.
Those words are economically revealing. They do not declare absolute ownership. They do define a valuable bundle: exclusive registrant status in ARIN's database, use in that database, and transfer of registration under policy. In a scarce market, that bundle is close to the operational heart of the asset. A buyer does not merely want a seller's promise. It wants the registry to recognize the buyer. A network operator does not merely want routing permission from a counterparty. It wants a record that supports contact, reverse DNS, security, transfer and future diligence.
The LRSA adds the transitional layer. ARIN states that it offered the Legacy Registration Services Agreement from 11 October 2007 through 31 December 2023 to organizations and individuals in its service region with legacy resources. It also states that the legacy fee cap expired on 31 December 2023; organizations with an active LRSA entered before 1 January 2024 continue to have fees limited for legacy resources covered before that date; no additional legacy resources may be added after 1 January 2024; and legacy resources covered under an ARIN agreement after that date are subject to annual Registration Service Plan fees.
This is not simply a billing story. It marks the closing of a transitional bargain. The LRSA was a bridge between early allocation records and the modern contract stack. The retirement of the fee cap does not erase historical reliance, but it changes the economics of joining the agreement perimeter. A legacy holder deciding whether to bring space under contract now evaluates legal language, security access, transfer readiness, future policy dependency and ongoing fee exposure together.
The agreement boundary also creates a legitimacy problem for ARIN. On one side, ARIN has a serious registry argument: it must maintain accurate records, prevent duplicate claims, support transfers, validate contacts and protect routing-related services. On the other side, every additional condition attached to an old record risks looking like conversion of inherited ledger authority into discretionary leverage. The more valuable IPv4 becomes, the more each contractual step resembles an economic toll. That does not make the toll illegitimate by itself. It does mean the burden of explanation grows.
Institutional economics sees the ambiguity clearly. The RSA/LRSA line reduces transaction costs and creates monopoly risk at the same time. A common agreement can reduce uncertainty: parties know what services are included, what records must be maintained, which policies apply and how transfers proceed. But the same agreement can concentrate control: the registry defines the terms under which a holder can access security services, complete transfers and maintain status. The question is not whether agreements should exist. The question is whether ARIN's use of agreements remains tied to ledger stewardship or expands into gatekeeping over the economic life of scarce resources.
Whois and RDAP are a confidence system
Whois and RDAP are often described as public directory services. That is true, but economically incomplete. ARIN's Registry Data Description says Whois data is available through Whois-RWS and RDAP, and that these services are driven by a relational database with objects representing organizations, individuals and resources. It identifies that relational database as the ARIN Registry. It also says ARIN collects operational data to provide public, transparent registry information via RDAP and Whois-RWS that is authoritative and accurate for Internet number resources managed by ARIN.
The value of this system is not simply that anyone can look up a contact. It is that many independent actors can anchor decisions to the same record. An abuse desk can find a responsible organization. A network researcher can map allocation history. A buyer can identify the apparent registrant. A counterparty can compare an officer certificate with the public Org ID. A security team can assess whether stale contact data signals hijacking risk. A court can ask what the registry recognizes. A lender can ask whether the block being discussed is the same block in the public record.
ARIN's Data Accuracy page is especially important. It says one of ARIN's core responsibilities is to maintain a registry of unique Internet number resources in the ARIN region and provide accurate registration information, including associated organization and contact information. It says an accurate registry is essential to Internet operability and stability. It also warns that registration records that have not been updated have increasingly become targets for hijackers and other potential criminals, which can lead to a registrant losing control not only of resources but also of its Org ID and point-of-contact records.
That is the registry version of asset fraud. If the public record becomes weak, the scarce resource becomes easier to misappropriate or cloud with dispute. A hijacker does not need to own the economic reality of a block if it can manipulate the reference layer that others use to identify authority. A buyer does not need to know every operational fact if it can rely on a clean registry pathway. Conversely, if that pathway is unreliable, even honest sellers suffer because buyers start pricing the possibility that the record is not what it appears to be.
RDAP improves machine readability, but it does not solve confidence by format alone. A JSON response can be stale. A structured field can still contain an obsolete organization. A neat API can return a record whose corporate authority is uncertain. Confidence depends on maintenance, validation, controlled updates, historical traceability and dispute handling. That is why annual point-of-contact validation and data-accuracy programs have economic significance. They are not merely administrative housekeeping. They are anti-hijacking and market-confidence infrastructure.
The availability of WhoWas and bulk data also matters. Historical registration information can help reconstruct chain of custody, identify sudden changes and support diligence. But history is useful only when the institution treats the ledger as evidence rather than a discretionary instrument. A record that changes without transparent authority becomes less valuable as evidence. A record that cannot change when legitimate succession is proven becomes less valuable as a current operational reference. The registry must be conservative enough to prevent fraud and flexible enough to record reality.
Legacy resources make the balance delicate. Old records can contain old names, old addresses, old contacts and old assumptions. The holder may have reorganized several times. A point of contact may have retired. A company may have been acquired through a chain of transactions. A stale Whois record may be the only public clue, but it is not enough. The market needs ARIN to ask hard questions without turning those questions into an opportunity to assert ownership-like discretion over the resource. That is the ledger-versus-gatekeeper distinction in practical form.
Chain of custody is the missing discipline
In ordinary corporate life, assets move through mergers, name changes, restructuring, bankruptcy, acquisitions, divestitures and internal reorganizations. Legacy IPv4 blocks move with those histories, but often imperfectly. The early Internet did not allocate addresses with a future global scarcity market in mind. A research institution, manufacturer, university, defense contractor or early network operator may have received a large block under assumptions that later disappeared. Decades later, the original entity may exist under a new name, have been acquired by a parent, have sold a division, have left the block with an operating subsidiary, or have no internal memory of why the record remains in its name.
This is where chain of custody becomes more than legal diligence. It is a market discipline. The question is not only whether a seller can produce a contract. It is whether the seller can connect the historical record to present authority in a way that ARIN, the buyer, counsel, auditors and operational teams can understand. That chain may include early allocation records, corporate charter documents, merger filings, asset-purchase agreements, bills of sale, board authorizations, officer certificates, name-change evidence, court orders, internal network records and current POC validation. Not every transfer will need the same material. But a serious market needs a clear expectation that authority must be proven, not assumed from an old email address or a familiar company name.
The economic stakes are large because uncertainty is contagious. If a buyer cannot distinguish a clean legacy chain from a weak one, it discounts the whole class. If a broker cannot persuade counterparties that a seller has authority, the market narrows to actors with expensive counsel and high tolerance for delay. If a lender cannot verify the registry pathway, it treats the asset as poor collateral or ignores it entirely. If a lessee depends on a lessor whose registry standing is weak, the lessee may not know the risk until reverse DNS, routing security or a transfer dispute surfaces.
ARIN's role in this chain should be disciplined, not expansive. It should demand evidence of authority, especially where stale records create hijacking risk. It should distinguish operational contact control from organizational entitlement. It should not let a point of contact sell a resource merely because the current corporate owner is inattentive. Nor should it treat a legitimate successor as suspect forever because the early record was informal. The right standard is evidence-based continuity.
This matters for title because the market is not buying a number in the abstract. It is buying a recognized position in a ledger that must remain coherent across time. Legacy resources are valuable partly because they are old; they are also risky because they are old. The institutional challenge is to convert age into verifiable history rather than uncertainty. A registry that can do that increases liquidity without pretending to create the underlying value.
Transfers convert record uncertainty into price
The IPv4 transfer market is where ARIN's record confidence becomes money. ARIN's transfer page states that IP addresses and ASNs issued by ARIN or its predecessors may be transferred only under ARIN policies. It lists the main paths: transfers tied to mergers, acquisitions and reorganizations; transfers to specified recipients within the ARIN region; and inter-RIR transfers to qualified recipients outside the region where compatible policy exists.
Each path turns registry confidence into a condition of liquidity. Under NRPM 8.2, ARIN considers transfers in mergers, acquisitions and reorganizations when the new organization provides evidence that it acquired assets using the resources or acquired the relevant entity. ARIN's transfer guide says resources moved as part of an 8.2 transfer are not subject to a needs-based assessment during that transfer. That exception is economically sensible: the transfer follows corporate continuity rather than a fresh demand allocation.
Under NRPM 8.3, the source organization must be the current registered holder and must not be involved in any dispute as to resource status. ARIN's guide also requires a signed and notarized officer acknowledgement letter, sets a minimum transfer size of /24, and imposes restrictions tied to recent transfers or allocations. The recipient must meet the requirements in NRPM 8.5. Under NRPM 8.4, inter-RIR transfers require reciprocal, compatible, needs-based policy. ARIN may require documentation that the receiving side's review is compatible with ARIN's needs-based policy, and the transfer page currently identifies APNIC, LACNIC and RIPE NCC as approved for ARIN-compatible inter-RIR transfer policy while AFRINIC is not approved for transfers.
These requirements are often treated as policy mechanics. They are also a title filter. If the source is not the current registered holder, it cannot sell market confidence. If the current registrant no longer exists, the buyer may need an 8.2 succession path before an 8.3 sale. If the resources are under dispute, liquidity can freeze. If the officer acknowledgement cannot be produced, the block may be economically stranded even if it is routed. If the recipient cannot demonstrate need, the transfer may fail despite an agreed price. If an inter-RIR transfer depends on another registry's compatibility, a transaction becomes a two-registry exercise.
This is why a registry record is not equivalent to an asset certificate. A Whois entry can identify a holder; it does not by itself prove that a particular officer, human representative or successor entity can authorize a transfer. Diligence must connect public record, corporate documents, authority to act, transaction history, policy eligibility and agreement status. Every missing link increases the cost of liquidity.
The economics resemble real-estate title in one respect and differ in another. Like land, IPv4 blocks can suffer from unclear chain of title, defunct entities, disputed authority and encumbrances. Unlike land, the relevant registry is not a public land office backed by a state title system. It is a private nonprofit registry operating through contracts, policy and community procedures. That makes institutional legitimacy more fragile. Market participants accept ARIN's role because the Internet needs a unique-number ledger and because ARIN's procedures are widely relied on. But the more ARIN's discretion affects asset liquidity, the more its decisions must look like neutral stewardship rather than institutional self-enlargement.
Transfer confidence is therefore a market public good. Clean records help sellers obtain fair value, buyers close with lower risk, networks migrate with less disruption, and ARIN preserves legitimacy. Weak records create lemons-market effects. Buyers demand discounts. Sellers with good title pay extra to prove they are not like sellers with bad title. Brokers and lawyers capture more of the deal surplus. Smaller operators may be priced out of diligence. Stale legacy entries become targets for hijacking or speculative claims. In that world, ARIN's data-accuracy work is not bureaucratic tidiness. It is liquidity infrastructure.
Needs assessment keeps a planner inside the market
IPv4 transfers show a paradox. Scarcity created a market, but needs assessment keeps a planner inside the market. The buyer and seller can negotiate, but the registry still asks whether the recipient qualifies under policy. NRPM 8.5 says the receiving entity must sign an RSA covering resources to be transferred unless it already has a current RSA on file; it says ARIN allocates or assigns number resources by transfer solely for use on an operational network; it sets ARIN's minimum IPv4 transfer size at /24; it allows organizations without an IPv4 allocation from ARIN to qualify for an initial block of that minimum size; and it requires larger or additional blocks to be supported by documentation of projected use and efficient utilization. ARIN's transfer guide says recipients within the ARIN region must demonstrate need for up to a 24-month supply of IPv4 addresses.
There is a defensible reason for this. IPv4 addresses are globally unique identifiers, not ordinary inventory. If transfer policy ignored operational use entirely, the market could reward warehousing, speculative accumulation and exclusionary control. Needs assessment reflects the older conservation ethic of number-resource administration. It tries to ensure that scarce space moves toward operational use rather than pure financial storage.
But the same rule creates gatekeeping risk. In a scarcity market, the ability to approve or refuse a buyer's need is economically powerful. It can shape who may buy, how much they may buy, how quickly they may close and how confidently they may finance a deal. It can also create unequal burdens. A large incumbent may have staff and records to satisfy policy review. A smaller operator may face higher proportional documentation costs. A fast-growing network may find that the policy's evidentiary horizon does not match its business risk. A buyer outside ARIN may depend on compatibility between RIR policies, turning price negotiation into only one part of the transaction.
The best defense of needs assessment is that it is narrow, rule-bound and transparent. The worst version is discretionary moral review disguised as stewardship. ARIN's documents are largely written in operational terms: current registered holder, no dispute, acquired assets, signed RSA, compatible policy, efficient utilization and documented need. Those terms can be reviewed, debated and applied. The danger appears when policy language becomes an open door for institutional preference about business models, counterparties or commercial structure. That is the line between stewardship and gatekeeping.
IPv4 scarcity also changes the fee and service debate. When free-pool allocation was still central, ARIN's role could be understood as rationing a dwindling common inventory. Once the free pool was depleted, ARIN's role shifted toward validating transfers, maintaining records, administering waitlists and operating security and directory services. That role is still important. It is also less like distributing a public resource and more like maintaining a title and services layer for assets already embedded in networks and balance sheets. The legitimacy standard should shift accordingly.
If ARIN is allocating from a pool, conservation and need are central. If ARIN is recognizing a transfer between existing holders, the dominant concerns should be authority, fraud prevention, dispute status, accurate record change, operational continuity and policy compatibility. Needs review may remain part of the system, but it should not become a general license for the registry to shape the market beyond the stated conservation rationale. The registry should ask what is necessary to preserve uniqueness, accuracy, fairness and operational use. It should not treat every transfer as an occasion to reassert broad institutional control over scarce capital.
Security services are part of title confidence
The legacy boundary is increasingly visible in routing-security services. ARIN's legacy page states that legacy holders not under an ARIN agreement can maintain Whois/RDAP, update public data, manage reverse DNS, maintain registry records in ARIN Online and access DNSSEC, but cannot access ARIN's RPKI or IRR services without an agreement. That service distinction may be defensible as a liability and authorization measure. RPKI and IRR are not passive display services; they involve assertions that other network operators may rely on. ARIN has reason to require a clearer legal relationship before enabling such functions.
Yet the economic effect is also clear. RPKI and IRR are increasingly part of responsible network operation and transaction diligence. A buyer wants clean handover of ROAs, route objects, reverse DNS and contact records. A source organization in an 8.3 or 8.4 transfer must coordinate removal or modification of route-security objects and reverse DNS. A network operator wants to reduce the chance that stale routing assertions will cause outages or invalid announcements. Security services therefore affect market confidence, not just technical hygiene.
When access to those services depends on crossing the agreement perimeter, the agreement becomes more than a form. It becomes a gateway to the modern security stack. For many holders that may be a sensible bargain. For others, especially legacy holders concerned about historical reliance, it can look like soft coercion: the registry inherited an old record, the old record became valuable, modern security expectations rose, and the registry now offers security capabilities only through a contractual framework that carries fees, policy obligations and future dependency.
The correct answer is not to pretend that security services should be unconditional. Fraud, mistaken authorization and legal risk are real. The correct answer is proportionality and clarity. ARIN should be able to explain why a particular service requires agreement coverage, what risks the agreement addresses, what obligations follow, how fees apply, what happens if policies change, and how a legacy holder can preserve record continuity while upgrading security posture. If those questions are answered plainly, the agreement path looks like stewardship. If they are answered only through institutional habit, the same path looks like leverage.
Security also shows why title confidence is broader than sale confidence. Even a holder that never plans to sell may need clear registry authority to manage reverse DNS, points of contact, ROAs, route objects and operational transitions. A lessee or downstream customer may depend on these functions indirectly. A lender or acquirer may treat them as evidence of responsible control. The title problem therefore reaches beyond transfer closings. It is part of daily network continuity.
Member power does not settle legitimacy
ARIN's governance model is often presented as open and community-based. Its Policy Development Process says the PDP exists to create and update policies that ARIN uses to administer Internet number resources. It sets out principles of fair and impartial number-resource administration, technical soundness and support by the Internet community. The process includes policy proposals, Advisory Council work, public mailing-list discussion, meetings, last call, Board review and implementation by ARIN staff after adoption.
ARIN's Membership & Elections page adds a different layer. It says entities with a valid ARIN Registration Services Agreement for Internet number resources are eligible for ARIN membership, and that only organizations that are General Members in Good Standing may vote in ARIN elections through a designated voting contact. Participation in policy discussion may be broad; formal electoral power is narrower and linked to the agreement perimeter.
This structure gives ARIN more procedural legitimacy than a closed private company. It does not answer every legitimacy problem. The first reason is that legacy holders outside an agreement can be affected by ARIN's record practices without necessarily having the same membership relation as agreement-covered holders. The second is that member voting is not public authority. A membership system can discipline a nonprofit, but it does not transform the nonprofit into a legislature. The third is that the population most affected by registry-layer decisions includes customers, lessees, creditors, buyers, sellers, network users and security teams who do not vote in ARIN elections.
This is where the critique of mandate laundering becomes relevant. A registry can invoke community, stewardship, openness and region to explain its authority. Those words may describe real mechanisms. But they can also make private coordination power look more public than it is. A policy mailing list is not a parliament. A service region is not a sovereign electorate. A member vote is not a statute. A Board review is not a court. These distinctions matter more as the economic weight of registry decisions increases.
The point is not to delegitimize ARIN. It is to calibrate ARIN. A registry that maintains a scarce-resource ledger needs procedures, participation and elected oversight. But the procedures should be understood as internal constraints on a coordination body, not as a license to convert coordination into broad authority over asset use. The more ARIN's decisions affect the liquidity and continuity of valuable IPv4 resources, the more it should welcome external tests of evidence, due procedure, contract interpretation and neutrality.
Member power can also create distributional questions. Incumbent holders may have different preferences from entrants seeking transfers. Large networks may value predictability differently from smaller networks trying to acquire their first meaningful IPv4 block. Legacy holders may resist agreement expansion. Security-focused participants may want tighter validation. Brokers and market actors may want faster transfers. Anti-abuse communities may prefer stricter data rules. The PDP can mediate these interests, but the registry must not confuse the fact of procedure with the justice of every outcome.
Registry legitimacy in the scarcity era should therefore be evaluated by results as well as forms. Does the record become more accurate? Are transfer rules predictable? Are disputes isolated from running networks? Are stale records cleaned without arbitrary confiscation? Are legacy holders given clear choices? Are security services available on terms that reflect genuine risk rather than leverage? Are policy changes proportional to the coordination problem they claim to solve? These are economic legitimacy questions, not merely governance questions.
Registry-layer risk is asset risk
The modern IPv4 holder faces a risk that is easy to underestimate: the network may be technically sound while the registry layer becomes the weak point. Routes can be stable, customers can be satisfied, abuse desks can be responsive and infrastructure can be profitable. Yet a dispute over authority, fees, agreement status, POC validation, transfer history, RPKI eligibility or a court order can threaten the holder's ability to prove control or complete a transaction.
LARUS's public position on registry risk is commercial, but the underlying insight is structural. Direct IPv4 holding can place registry contract exposure, policy risk, audit paths and termination mechanics inside the operating company, while leasing or specialist holding structures can move some exposure upstream. One need not accept every commercial claim to see the institutional point: the registry layer is a distinct risk layer. It is not the same as routing engineering. It is not the same as address demand. It is not the same as abuse handling. It is the risk that the institutional record and service relationship become the bottleneck for a live network asset.
NRS makes the political version of the same argument. Internet number registries began as technical coordination bodies, but IPv4 scarcity turned registry discretion into economic power. Again, the useful part of the claim is structural. Scarcity gives administrative discretion a capital effect. A rule about contact validation, transfer eligibility or service access may change the value of a block. A policy about who can obtain RPKI may change security posture. A dispute notation may change buyer confidence. A fee change may alter the economics of bringing legacy resources under agreement.
ARIN's own documents show why the risk is real. Legacy holders outside an agreement can maintain Whois/RDAP and reverse DNS, but not access ARIN's RPKI and IRR services. The RSA ties services to policy compliance, fees and holder responsibilities. The transfer page requires agreements, documentation and officer acknowledgement for certain outcomes. The RSA also gives ARIN the right to comply with government or judicial orders concerning services or number resources. These provisions are not scandalous. Any serious registry needs legal and operational controls. From the holder's perspective, however, they define a layer of dependency.
The market's mistake is to treat registry dependency as if it were eliminated by "owning" IPv4. A buyer may spend significant capital to acquire a block and still depend on ARIN's record, agreement, policy and future service conditions. A legacy holder may believe its historical position is stronger than an ordinary RSA holder's position and still need ARIN's ledger for public recognition, reverse DNS, transfer finality and security services. A lessee may not appear in ARIN's registry at all and still depend on the lessor's registry standing. Downstream customers may not know the issue exists until a dispute disrupts routing, reverse DNS or security assertions.
Registry-layer risk is asset risk because the asset is not merely a number. It is a live coordination position recognized by the Internet's addressing system. The number has little practical market value if the holder cannot prove recognized control, keep records accurate, secure routing assertions and transfer or delegate use with credible continuity. ARIN's legitimacy depends on reducing that risk, not exploiting it.
Ledger stewardship versus gatekeeping
The cleanest way to distinguish legitimate registry action from overreach is to ask whether the action protects the ledger or enlarges the gatekeeper. Ledger stewardship is narrow. It preserves uniqueness, accuracy, authorized change, historical traceability, secure publication and dispute integrity. Gatekeeping is broader. It uses the registry's choke point to judge commercial models, extract concessions, expand contract reach or impose institutional preferences not required by the ledger function.
This distinction is not anti-registry. It is pro-registry in the only sense that matters. A ledger trusted by the market must be conservative, evidence-based and resistant to both fraud and institutional temptation. It should prevent duplicate claims. It should refuse forged transfers. It should require proof that a successor acquired the relevant assets or entity. It should validate points of contact. It should record disputes without pretending they do not exist. It should not let an obsolete contact sell a block. It should not let a registry official or board preference rewrite operational reality.
But the same ledger should not become an ownership engine for the institution operating it. ARIN should not be treated as the economic author of legacy value merely because legacy records now depend on ARIN's database. The value was created by scarcity, operational reliance, routing history, customer networks, market demand and the inherited coordination role. The registry's function is to maintain the reference layer. It is not to absorb the asset's economic gravity into a claim of superior discretion.
Lu's "water company" analogy is useful here. In his public note, the monopoly utility does not become owner of the house because the house depends on its pipe. In the registry context, the database record does not own the network reality it records. The analogy is polemical, but it points to a serious institutional rule: dependency should narrow discretion, not widen it. The more operators depend on a registry, the more auditable and constrained the registry should be.
ARIN's own best practices can be read in that narrow direction. Data accuracy protects registrants from hijacking. Transfer documentation protects buyers and the registry from false authority. Needs review, when limited to conservation and operational use, protects against pure warehousing. The PDP, when open and documented, constrains arbitrary policy change. Membership elections, when properly bounded, create accountability within the nonprofit.
The risk appears when these mechanisms are rhetorically bundled into a larger claim: because ARIN's services are necessary, ARIN's full discretion must be accepted; because community procedure exists, every policy outcome carries quasi-public authority; because the registry must maintain uniqueness, it may become the judge of commercial legitimacy; because an agreement is needed for certain services, legacy holders should be pushed into the contract perimeter without candid recognition of their historical position. That is the path from stewardship to gatekeeping.
The better standard is modesty. ARIN should be strongest when the record is threatened by fraud, duplication, stale data, unauthorized transfer or security incoherence. It should be weakest when the question is whether a lawful, operationally coherent holder's commercial use fits an institutional preference not required by uniqueness or accuracy. A registry that knows the difference will preserve legitimacy. A registry that blurs the difference will invite market workarounds, litigation and ideological opposition.
Mandate laundering in a mature registry
Mandate laundering is easiest to see in visibly unstable systems, but it can occur in mature systems too. The mechanism is not limited to crisis. It begins when a narrow coordinating function is wrapped in the language of community, stewardship, region and continuity until a private administrative body appears to possess a thicker mandate than its legal and technical role justifies.
ARIN is not AFRINIC, and the distinction matters. ARIN's documents are more explicit, its transfer system is more developed, and its public materials acknowledge legacy resources in a relatively practical way. It provides core services to legacy holders not under agreement. It publishes transfer requirements. It documents the PDP. It identifies membership and election rules. It exposes Whois/RDAP, transfer procedures, data-accuracy expectations and agreement terms. These are institutional strengths.
But maturity can make mandate laundering subtler. A stable registry may not need dramatic claims. Its authority can thicken through ordinary language: community, stewardship, mission, service region, policy, transparency, best practice. Each word can be legitimate in context. The problem arises when the words are used to avoid the harder question: which specific authority is needed to maintain the ledger, and which authority is merely convenient for the institution?
Consider "community-developed policy." ARIN's PDP is real. It includes public discussion, Advisory Council work, last call, Board review and implementation. But a policy's community pedigree does not automatically answer whether it fairly burdens legacy holders, whether it increases title confidence, whether it reduces or increases market friction, or whether it respects the line between conservation and gatekeeping. Procedure helps legitimacy; it does not substitute for proportionality.
Consider "stewardship." The term can mean careful maintenance of a shared numbering system. It can also become a soft claim to moral supervision over scarce assets. Stewardship of uniqueness is necessary. Stewardship of accurate records is necessary. Stewardship of every market choice made by lawful holders is more suspect. Once IPv4 becomes economically valuable, stewardship language should be narrowed, not expanded. The steward of the ledger must not become the steward of every business model that uses the ledger.
Consider "continuity." ARIN can rightly argue that continuity of Whois/RDAP, reverse DNS, RPKI, IRR and registry records matters. But continuity of function is not the same as immunity for every institutional choice. The ledger-not-gatekeeper frame is useful precisely because it separates services that must continue from the operator's claim to broad discretion. A mature ARIN standard would embrace that separation. It would say: the record must be preserved, services must remain reliable, disputes must be handled carefully, and running networks should not become collateral damage. It would not say: because these functions matter, the registry's judgment should be insulated from ordinary scrutiny.
North America is the test because ARIN sits on a large body of valuable legacy history and a sophisticated transfer market. If ARIN can show that legacy resources can be integrated into modern security and transfer systems without erasing historical reliance or inflating registry discretion, it strengthens the RIR model. If it cannot, critics will treat ARIN's maturity as proof that even the best-developed registry converts ledger control into gatekeeping power when scarcity raises the stakes.
What asset confidence should require
The practical answer is not to abolish ARIN's role. It is to define the asset-confidence standard against which ARIN should be judged. The standard begins with preservation. Historical records should be maintained with enough detail to support chain-of-custody analysis. Legacy resources should not be reduced to a current display line. Diligence often turns on past organization names, early assignments, ERX movements, corporate changes, prior contacts and earlier record updates. Historical services should be understood as title-confidence tools, not merely research products.
The second requirement is authority validation without contact fetishism. A point of contact can be an operational gate to record changes, but it should not be treated as an independent owner of the resource. Authority belongs to the recognized organization or successor entity, proven by evidence, not to whoever happens to control an old email address. At the same time, a legitimate successor should have a practicable path to recognition if it can prove the chain.
The third requirement is dispute isolation. If two parties claim the same legacy block, the registry should prevent conflicting transfers and preserve the last verified operational state where possible. It should record dispute status as needed. It should not use uncertainty as an excuse for unilateral redistribution, nor should it let a disputed claimant create irreversible change. Neutral adjudication and evidence-based update rules matter because IPv4 value can be destroyed by uncertainty long before a court or arbitrator reaches a final answer.
The fourth requirement is an intelligible RSA/LRSA boundary. Holders should be able to understand which services are available without agreement, which services require agreement, what rights and obligations follow, how fees apply, and how transfer eligibility changes. The retirement of the legacy fee cap makes clarity more important, not less. A legacy holder should not have to infer the economic consequences of entering the agreement perimeter from scattered pages and institutional custom.
The fifth requirement is transfer review tied to title, fraud prevention, operational use and policy compatibility. Transfer review should not become general commercial morality review. If a source is the current registered holder, not in dispute, properly authorized, and the recipient satisfies policy, ARIN's role should be to complete the registry transition with disciplined caution. If evidence is defective, ARIN should say what is missing. Predictability is liquidity.
The sixth requirement is security-service proportionality. RPKI and IRR access are not mere premium conveniences. They affect route security and market confidence. ARIN's requirement that legacy resources be under agreement to access these services may be defensible as a risk measure. But because security services increasingly define responsible operation, the agreement path should be transparent, proportionate and not perceived as coercive leverage over legacy holders.
The seventh requirement is economic review of policy outcomes. A policy can be open and still harmful. It can be community-supported and still entrench incumbents. It can be technically sound and still impose avoidable title friction. ARIN's PDP principles of fair and impartial administration, technical soundness and community support should be read economically in the IPv4 era. Fairness includes the cost of diligence. Technical soundness includes record reliability. Community support should not erase the interests of non-voting downstream users whose networks depend on the resource.
These standards are not radical. They are the standards a market develops when a recordkeeper becomes central to scarce assets. The institution that keeps the record must be boring in the best sense: accurate, restrained, predictable, auditable and difficult to capture.
Why ARIN's legacy question matters beyond ARIN
ARIN's legacy-resource problem is not a regional curiosity. It is a preview of a broader Internet-governance question: how should private technical registries behave once the entries they administer become economically strategic? Every RIR faces scarcity, transfers, security services, contractual limits and political pressure. ARIN's special feature is that it combines an early Internet legacy base with a comparatively formal transfer and agreement system. That makes it a useful stress test.
For buyers, ARIN's handling of legacy title affects whether IPv4 can be treated as a financeable operating asset. If transfer outcomes are predictable, buyers can price blocks, arrange diligence, manage closing conditions and plan migrations. If outcomes are uncertain, the market becomes thinner and more expensive. Scarcity alone raises price; uncertainty raises the risk premium.
For sellers, title confidence affects whether old allocations can be monetized without being hijacked by intermediaries or trapped by stale records. A university, manufacturer, defense contractor, telecom company or acquired enterprise may hold legacy space whose internal history is complicated. If ARIN provides clear routes for proving authority, legitimate holders can surface dormant or underused resources. If the route is opaque, only large actors with expensive counsel can navigate it.
For network operators, registry confidence affects continuity. A block embedded in customer networks, firewall rules, geolocation records, allowlists, API controls, reverse DNS, abuse desks and RPKI objects cannot be swapped casually. The registry's decision on a record can ripple through operational systems. That is why registry-layer risk cannot be dismissed as paperwork.
For ARIN, the stakes are legitimacy. A registry's power is recognized because the Internet needs a unique, authoritative reference. That recognition is fragile when the reference layer becomes a market choke point. ARIN must demonstrate that it can administer scarcity without claiming more mandate than the ledger requires. The institution must be strong enough to prevent fraud and weak enough to remain a servant of the record.
For the RIR system, ARIN's example matters because critics will judge the model by its best cases as well as its worst. If a mature RIR can keep legacy title, transfers, security access and policy authority within narrow stewardship, the model gains credibility. If even a mature RIR turns scarcity into broad gatekeeping, calls for portability, independent adjudication and alternative continuity structures will grow stronger.
The ideological challenge from NRS, LARUS and Lu's notes is therefore not merely external criticism. It is a market signal. It says that resource holders increasingly see the registry not only as a technical necessity but as a concentration of economic risk. The correct response is not to deny that the risk exists. It is to reduce it by making the ledger more trustworthy and the gatekeeper less discretionary.
Conclusion: title as confidence, not theology
The economics of ARIN legacy allocation title begins with a simple fact: old records now support scarce assets. That fact does not settle the legal status of IPv4 addresses. It does not prove that legacy holders have absolute property rights. It does not prove that ARIN is merely a clerical office with no policy role. It proves something more practical and more difficult: confidence in historical allocation records has become part of the asset's value.
ARIN's own materials show the architecture. Legacy resources came from an earlier allocation era. Some services remain available without agreement. The LRSA offered a bridge for many years, and the fee-cap era has closed. The RSA defines valuable database-recognition, use and transfer rights subject to policy and compliance. Whois and RDAP provide public registry visibility. Data accuracy protects operability and reduces hijacking risk. Transfer policy requires current registered holder status, no dispute, documentation, signed agreements and, in many cases, needs assessment. Membership and PDP procedures add participation and oversight but do not convert ARIN into a state.
The economic lesson is that title confidence sits at the intersection of all these pieces. It is produced by the ledger, the contract boundary, the policy rules, the data-accuracy regime, the transfer review and the institution's self-restraint. If any part becomes arbitrary, liquidity suffers. If the record becomes stale, hijackers gain. If policy becomes moral discretion, buyers discount. If legacy holders are forced into unclear bargains, legitimacy erodes. If disputes threaten running networks, the registry has failed the continuity test.
ARIN's strongest future is not as a gatekeeper that draws power from scarcity. It is as a ledger steward that makes scarce-resource markets safer without pretending to own the value created by the networks that use the numbers. That means protecting uniqueness, preserving history, validating authority, enabling secure services, making transfers predictable, isolating disputes and keeping its mandate narrow. It means resisting the institutional temptation to convert "we keep the record" into "we decide the fate of the asset."
The title problem will not disappear with IPv6 advocacy. IPv6 may reduce future dependence on IPv4, but it does not erase the installed base, sunk costs, customer systems, transfer market or historic allocations that still shape today's Internet economy. Legacy IPv4 will remain valuable for as long as networks, customers and applications rely on it. During that period, ARIN's record will remain a confidence layer.
That is why legacy allocation title still matters. It is not nostalgia for the early Internet. It is not a demand that ARIN surrender its registry duties. It is the recognition that in a scarce-resource economy, the recordkeeper's modesty is part of the asset's security. Protect the ledger, and ARIN strengthens both the market and its own legitimacy. Inflate the ledger into gatekeeping, and the market will price the risk, litigants will test the boundary, and resource holders will look for continuity outside the institution that was supposed to provide it.

