Summary

  • Internet number competition should occur around registration service, not around incompatible claims to the same prefix or autonomous system number. RFC 7020 makes uniqueness a core registration requirement: an IP address or AS number must not be allocated to more than one party at the same time.
  • A portable design separates the resource, recognized holder, registration-service provider, common validator, IANA-linked allocation structure and network operator. Changing provider alters one service relationship. It does not sell the resource, replace the holder, duplicate the allocation or direct a route.
  • Multiple qualified registrars can compete on support, price, language, security controls, evidence handling, transfer assistance, RDAP presentation and optional services. They must share minimum rules for identity, authority, transfer state, dispute holds, security continuity, record retention and review.
  • One serialized commit is the point that prevents duplication. The common layer verifies the current version, required approvals and absence of an incompatible hold, then records one provider change and retires the former provider's authority. Competing providers may retain evidence and replicas, but they may not publish rival current states as equally authoritative.
  • Mobile number portability, domain registrar transfer and current-account switching show how a customer can change provider while a shared coordination arrangement preserves continuity. None is an exact legal or technical model for IP prefixes or ASNs; together they show that portability is institutional infrastructure rather than a promise to cooperate.
  • RPKI, reverse DNS and RDAP make number portability more demanding than a simple customer-record move. Dependent services need explicit continuity steps, overlap only where it cannot create contradictory authority, and independent verification before the old provider is released.
  • The common layer itself must be replaceable. Open specifications, independently witnessed history, exportable state, separated qualification and review, tested successor activation and the IANA numbering service continuity model can prevent retail competition from sitting beneath an unaccountable permanent coordinator.

Scarcity makes duplication look like freedom until it fails

IPv4 scarcity creates pressure for alternatives. A holder may dislike its Regional Internet Registry, entity to fees, need support in another language, face a dispute or want a provider with better security. If the incumbent cannot be replaced, institutional dependency becomes economically significant. It is tempting to answer by allowing a rival registrar to recognize the holder independently.

That answer confuses competition with contradiction. If registrar Alpha says a prefix belongs to one company while registrar Beta says the same prefix belongs to another, networks and counterparties do not receive choice in the ordinary market sense. They receive incompatible claims about a globally reused identifier. Each must decide which registrar's truth to accept, and the resource ceases to be reliably unique.

The problem is sharper for a scarce IPv4 block because the conflict can support competing sales, leases, security authorizations and public records. A registrar may attract customers by applying looser proof or ignoring a dispute. The short-term offer looks competitive; the long-term result is adverse selection in authority.

Real competition keeps the scarce resource singular while making the service provider replaceable. The holder should be able to dismiss Alpha and appoint Beta under common rules. Alpha should lose current authority at a defined moment. Beta should gain it at that same moment. The allocation history and holder continuity should remain visible. Portability makes exit possible without asking the Internet to choose between rival worlds.

RFC 7020 defines the non-negotiable core

RFC 7020 describes the Internet Numbers Registry System and identifies registration accuracy as a core requirement. It states that uniqueness means IP addresses and AS numbers are not allocated to more than one party at the same time. It also describes a hierarchy rooted in the IANA role, with Regional Internet Registries serving Local Internet Registries and other customers.

The document does not freeze every institutional arrangement forever. It records the structure and goals of the number system as they stood in 2013 and anticipates continued evolution. The uniqueness requirement is nevertheless architectural. Independently operated networks can reuse addresses internally, but globally coordinated public number resources depend on a common understanding that a current allocation is not simultaneously made to two unrelated parties.

RFC 7020 also protects an important boundary. Whether addresses are announced and how they are advertised are operational considerations outside the registry's scope. The registration record does not force routers to accept a path. This means portability can change registration service without pretending to control every network.

NRS should treat these two propositions together. It must preserve globally coherent allocation while remaining thin about routing. The common validator is justified by uniqueness, not by a claim to run the Internet. Providers compete around the record; operators decide routing under their own policies and applicable security signals.

Six roles must not be collapsed into one institution

A portable number regime becomes clearer when six roles are separated. The resource is the prefix or AS number whose global uniqueness must be preserved. The recognized holder is the person or organization currently entitled to registration service under the applicable allocation and transfer history.

The registrar serves the holder. It verifies authorized representatives, protects evidence, submits permitted instructions, supports corrections and presents services. The common validator checks whether a proposed state change is authorized and compatible with the current state, then records one ordered result.

The IANA numbering role maintains the top of the allocation hierarchy and the global registries that identify number-resource distribution to RIRs. The network operator configures routing, filtering, reverse DNS and security use. One organization may perform more than one role, but the powers should remain distinguishable.

Monopoly becomes hard to challenge when the incumbent claims all six. It can say that replacing its customer service would endanger uniqueness, that questioning its policy would endanger routing and that moving an administrative function would challenge IANA. Separation answers that rhetoric. A holder can change registrar without changing the resource. A common validator can be governed or replaced without altering every route. IANA can preserve top-level coherence without selecting each retail provider.

Role separation also assigns responsibility. The registrar authenticates. The common validator serializes. IANA maintains top-level allocation information. Networks route. A failure can then be examined at the lever that caused it rather than attributed to an undifferentiated community.

The competitive surface is broad enough to matter

Some critics assume that if registrars share rules and one current state, little remains to compete over. The domain market and other switching regimes show otherwise. Service quality is not a trivial layer when customers depend on a record for years.

Registrars can compete on price, response time, language, regional expertise, account security, recovery options, evidence minimization, privacy, delegated administration, portfolio controls, transfer assistance, after-hours support and integration with network operations. They can offer distinct audit reports, service guarantees and insurance. They can specialize in small networks, universities, public-sector operators, multinational groups or transfer-market entities.

They can also compete on the quality of public registration presentation without changing the underlying authoritative state. One may offer better explanation of history or more usable alerts. Common RDAP requirements preserve interoperability while providers improve holder-facing tools. Optional hosted RPKI and reverse DNS services can compete if they are portable and not tied coercively to the base record.

This competition changes bargaining. A provider that delays support or raises prices knows the holder has an executable exit. A new entrant need not persuade the world to recognize a rival allocation; it needs qualification and the holder's mandate. Market entry becomes service entry rather than a geopolitical struggle over authority.

The common layer should do less than current incumbents

The need for one current state does not justify one organization controlling policy, customer service, evidence, security credentials, disputes and adjudication. The common layer should be deliberately narrow.

Its essential duties are to identify the current resource version, verify that a submitted change came from a qualified provider, check required authorization proofs, enforce compatible holds, serialize conflicting instructions, commit one result, retire superseded authority, preserve verifiable history and publish the information needed by authoritative discovery.

It should not decide ordinary retail prices, dictate support bundles, retain every holder document or sell premium approval. It should not route traffic. It should not judge its own commercial disputes. It should not make substantive allocation policy through undocumented technical choices.

A narrow coordinator is easier to replicate and replace. It also reduces the amount of discretion that must be centralized. The registrar handles the relationship; the common layer handles coherence. Independent reviewers handle contested authority. Policy institutions set common rules through accountable means.

This boundary is the constitutional price of portability. If the common layer absorbs every function, the market gains cosmetic registrar choice while dependence moves upward. The holder can leave the shopfront but not the institution that controls every meaningful outcome.

One current state requires an ordered commit

Portability succeeds only if a provider change has one authoritative completion point. Before that point, the old provider retains current authority and the proposed new provider is pending. After it, the new provider is current and the old provider's authority is historical. There must not be an interval in which both can independently create valid current changes.

The common validator should accept a transfer only against a known version of the resource record. The submission identifies the resource, current holder, old provider, proposed provider, authorization evidence, requested time and dependent-service choices. The validator checks that the referenced version is still current. If another valid change has already committed, the stale submission fails safely.

At commit, the validator records the provider substitution and retires the former provider token as one indivisible act. Notices follow to the holder, both providers and registered security contacts. Independently operated witnesses can verify the event sequence. A provider may retain prior evidence, but it cannot use the old token to create a rival current state.

The word common does not require one machine or one private company. Several independent validators can witness or co-sign an ordered event under a defined quorum. What matters is that they converge on one accepted sequence and cannot each sell an incompatible answer. Distribution can improve resilience; plural truth would destroy uniqueness.

Portability changes provider, not holder

The most important guardrail is the distinction between provider substitution and resource transfer. A holder changing registrar should not need to prove a new claim to the prefix as if acquiring it. The recognized holder, resource set, allocation history and applicable restrictions remain the same. Only the appointed service provider changes.

A sale, merger, insolvency distribution or other change of holder is different. It requires authority from the current holder and whatever substantive transfer rules apply. Combining the two changes creates opportunities for theft and captivity. A provider could claim that every exit reopens title, or a buyer could hide a resource sale inside an ordinary service move.

The transfer instruction should therefore state what remains unchanged. The prefix or ASN is identical. The holder identifier is identical. Existing dispute markers and legal restraints continue. Historical allocation does not restart. The registrar field changes at a specified time.

If a holder change is also intended, it should be a separately authorized transaction with its own evidence and review. The two may be scheduled together only if each reaches an independent valid decision. A failed sale should not trap the holder at an unwanted registrar, and a registrar switch should not validate an unsupported sale.

IPv4 market activity makes the distinction urgent

IPv4 exhaustion has increased the value of transfer and lease arrangements. IANA's number-resource allocation data notes that its ordinary IPv4 supply is exhausted and that recovered address space follows a separate allocation method. Scarcity means a registration change can be economically significant even when routing is unaffected at that moment.

A portable registrar market should support legitimate transfer evidence without becoming a marketplace in conflicting recognition. Brokers, buyers, sellers, lessors and network operators may use different contracts. The common state should identify the recognized holder and any permitted public status. It should not treat a broker's listing or a lease claim as a second allocation.

Competition can improve service to market entities. Registrars may specialize in due diligence, escrow coordination, cross-region support and post-transfer updates. Common validation prevents them from competing by lowering the uniqueness standard. A registrar that cannot substantiate authority should lose the transaction, not gain market share by publishing its own answer.

The same discipline protects smaller holders. Without common state, the registrar with the largest commercial reach could make its claim appear true by repetition. Portability allows holders to choose service while validation makes authority depend on evidence and ordered acceptance rather than provider size.

The gaining provider should lead the switch

A holder seeking exit should approach the desired new registrar. Making the incumbent the only initiator gives the institution being dismissed control over departure. It can delay, demand unrelated payments or pressure the holder to remain.

The gaining registrar should verify the holder's mandate, explain the change, identify dependent services and submit the request. Its commercial incentive supports completion. The losing registrar receives prompt notice and a bounded opportunity to raise specified objections. It does not possess a general veto.

This pattern appears in other sectors. The ICANN Transfer Policy places defined duties on the gaining registrar, registrar of record and registry operator. The UK Current Account Switch Service is led by the new bank or building society and uses a shared service to complete the move and redirect payments under its guarantee.

NRS should adapt the institutional logic, not copy details blindly. Number resources carry allocation history, reverse DNS and RPKI dependencies that bank accounts and domain names do not share in the same way. The general lesson survives: an exit right works better when the chosen provider can initiate under common duties and the incumbent's objections are limited, reasoned and time-bound.

Authentication must be portable without becoming weak

The new provider must know that the holder authorized the change. A portability regime that accepts an email from one compromised contact would create theft at scale. A regime that requires the losing provider's discretionary approval would recreate captivity.

NRS should maintain holder-controlled authority credentials independent of any one registrar. The holder can designate multiple organizational roles, require a threshold of approvals and keep a recovery route with an independent custodian. A transfer request should be bound to the resource set, gaining provider, intended time and current version so it cannot be replayed for another change.

The losing registrar can supply risk information and evidence of a genuine identity dispute. It should not control the root credential. If the provider fails or becomes hostile, the holder must still be able to prove authority through the common layer and independent recovery.

RFC 9154 provides a useful security comparator for registry-entity transfers using EPP authorization information. It distinguishes registrant, registrar and registry roles, describes secure transfer authorization and requires the registry to compare submitted authorization information with stored material. NRS need not adopt EPP or domain semantics, but it should adopt the principle that transfer authority is narrow, transaction-bound, expiring and invalidated after use.

Locks should express risk, not provider ownership

A transfer lock can protect a holder during a suspected compromise, active dispute or recent consequential change. It can also become the easiest instrument of retention. The design question is who controls the lock, why it exists and how it ends.

Holder-requested locks should be visible and removable through a secure route no more restrictive than other consequential account changes. Security locks imposed by a registrar should identify a defined risk, expire quickly unless reviewed and remain challengeable. Court or independent-review holds should identify their authority and scope.

Fee disputes should not create a general right to trap the resource record. The losing provider can pursue unpaid invoices through ordinary remedies. It may withhold optional services or amounts where lawful, but it should not use global uniqueness as collateral unless the common rules expressly connect the debt to the registration right.

The ICANN policy supplies another bounded lesson: it lists grounds on which a registrar may or must deny a domain transfer, requires reasons and rejects several grounds as limited public evidence. Number-resource portability needs its own list. The list should be shorter than institutional discretion and broad enough to stop verified theft. Every lock should have a responsible actor, timestamp, reason category, expiry and review path.

Silence should not let the incumbent veto exit

Portability can be defeated without a formal refusal. The losing provider simply fails to respond. If completion requires affirmative incumbent consent, inaction becomes permanent control.

The common rules should define default outcomes. Once the gaining registrar has supplied valid authority and required notices have been delivered, the incumbent has a fixed period to raise a permitted objection with evidence. Silence after that period allows the switch to proceed. A genuine emergency can justify a short hold imposed by the common layer, not an indefinite pause owned by the incumbent.

ICANN's current Transfer Policy provides a five-calendar-day default approval structure for inter-registrar domain transfers when the registrar of record does not respond to the registry notice. The exact number is not automatically right for Internet number resources. The structural discipline is right: the deadline converts silence from power into an outcome.

NRS should publish performance at each stage: time to credential release, time to objection, time to independent review and time to final commit. A provider whose business model depends on quiet delay should be visible and ultimately lose qualification. Competition requires not just the formal existence of alternatives but the demonstrated ability to reach them.

Disputes should freeze change, not create rival allocations

When two parties claim control, it may be impossible to determine the winner immediately. The safe response is not to let each choose a registrar and publish a current claim. The common state should preserve the last uncontested status, mark the dispute where appropriate and restrict consequential changes until review.

A dispute hold must be narrow. It should identify the contested resource, authority, duration and permitted actions. Routine contact correction or security monitoring may continue even while disposition is frozen. The holder should not lose all service because one field is disputed.

The independent reviewer needs power to preserve evidence, order temporary measures and decide whether the hold continues. The common coordinator should implement that decision but should not judge a dispute about its own conduct. Courts retain their lawful role.

Historical claims remain visible in the event record without becoming competing current states. A losing claimant can challenge or appeal, but it cannot create technical ambiguity by publishing a parallel allocation. This preserves legal disagreement without forcing routing operators and counterparties to adjudicate it independently.

Mobile number portability demonstrates neutral coordination

Telephone numbers and IP prefixes are not interchangeable. Telephone numbering follows national plans, carriers switch calls through sector-specific systems and regulators can impose domestic duties. The comparison is still valuable because it shows that one identifier can persist while service providers compete.

The United States developed local number portability around regional services collectively known as NPAC. The FCC's technical requirements for the Local Number Portability Administrator describe a neutral and independent administrator for shared regional number-portability information. Carriers compete; the ported number does not become valid twice.

The European Electronic Communications Code, Article 106, gives end users a right to retain numbers independently of provider, constrains service loss, prohibits delay and abuse, and requires compensation rules. Again, the legal obligations do not transfer automatically to Internet number resources. The institutional insight is direct: neutrality, deadlines, consent, continuity and remedies turn portability into an enforceable market feature.

NRS should borrow the separation between competitor and coordinator. A registrar should not run the common transfer authority in a way that advantages its retail business. Governance, technical access and fees must be non-discriminatory. Neutrality should be measured through outcomes, not declared in a mission statement.

Domain registrar transfer proves provider substitution is possible

The generic domain market separates registered name holders, registrars, registry operators and ICANN. A holder can transfer sponsorship from one accredited registrar to another while the domain remains unique within its top-level registry. RFC 5731 defines EPP commands that include management of domain-entity sponsorship changes.

The domain model shows that the customer-facing intermediary need not be permanent. It also reveals the remaining concentration. The top-level registry stays authoritative, and common policy continues to bind registrars. A .com holder cannot move the identical domain to a rival .com registry while preserving one global answer.

NRS should learn both lessons. Registrar competition can reduce lock-in. It does not by itself make the common validator accountable. Open interfaces, provider qualification, review, audit, succession and policy legitimacy remain necessary above the retail layer.

Number resources also have different dependencies. A provider change may affect RDAP, reverse DNS and RPKI. Routing does not follow the same hierarchy as DNS resolution. The domain analogy establishes institutional possibility, not technical identity. NRS must perform number-specific continuity tests before declaring a switch complete.

Current-account switching shows that continuity can outlast old details

Bank switching offers a different comparison. The UK's Current Account Switch Service completes a full switch in seven working days, is led by the new provider and redirects payments sent to the old details. Pay.UK operates the shared service. The customer changes bank without coordinating every payment originator individually on the first day.

Internet number portability can be stronger because the objective is to preserve the same resource rather than redirect from old account details. The comparison still highlights useful duties: a chosen completion date, receiving-provider leadership, shared coordination, redirection during transition, guarantee and clear responsibility for errors.

The limits matter. Bank accounts are governed by financial regulation, payment systems and deposit rules. A prefix has routing, delegation and security dependencies. NRS should not claim that a seven-day bank switch proves a seven-day number transfer is safe.

What it proves is that continuity is a service in its own right. Institutions can define who moves what, when old instructions stop, how residual activity is handled and who pays when the switch fails. Portability should not be left to goodwill between competitors.

RDAP continuity needs authoritative discovery, not rival answers

RDAP allows users to retrieve registration data from authoritative services. RFC 9224 explains how IANA bootstrap registries direct clients to services for IP address space and AS numbers. For address space, longest-match selection finds the relevant service location; AS number ranges map to service URLs.

A registrar switch must not create two equally authoritative RDAP destinations for the same scope unless they serve the same accepted state under a resilience arrangement. The common commit should update the responsible service mapping or the common service should continue answering while the retail registrar changes behind it.

Two models are possible. In a common-publication model, all registrars submit accepted changes to a shared RDAP service. In a delegated-publication model, authoritative discovery points to the current provider, with a controlled transition and consistency checks. The first centralizes publication; the second increases portability complexity. Both must preserve one answer about current authority.

Replicas are not duplicates in the harmful sense if they are cryptographically tied to the same event history and cannot accept independent allocations. Multiple service endpoints can improve resilience. Multiple unrelated truths cannot. NRS should publish consistency measures, stale-state duration and restoration performance so users can distinguish redundancy from fragmentation.

Reverse DNS should move as an explicit dependent service

Reverse DNS delegation can be operationally important for mail, logging, troubleshooting and service identity. A provider switch that preserves the holder record but accidentally removes delegation can still harm continuity.

The transfer instruction should state whether reverse DNS remains with an existing operator, moves to the gaining registrar or moves to a third party. If no change is requested, the common commit should preserve the delegation. If a change is requested, the new service must be ready and validated before the old one is withdrawn.

The registrar should not bundle reverse DNS so tightly that leaving registration service requires changing nameservers. Holder-controlled delegation allows independent choice. A provider can compete on managed reverse DNS without using it as a lock.

Rollback must be prepared. A failed delegation change should restore the prior valid state without reversing the registrar switch if the two acts are separable. This is another reason to represent functions distinctly. One failed optional service should not reopen the question of who serves the core registration.

RPKI continuity is the hardest portability boundary

RPKI follows the resource allocation hierarchy. RFC 6480 describes resource certificates, signed entities and repositories that allow networks to validate route-origin authorization. A provider move can therefore affect keys, certificates, repositories and Route Origin Authorizations even when the holder and prefixes do not change.

The safest model gives the holder control of its keys and lets registrars provide replaceable management. Where hosted RPKI is used, the transfer must establish the gaining provider's authority, issue valid successor material, make it available to relying parties, verify propagation and then retire the former provider's authority. Overlap may support continuity, but it must not permit contradictory current authorization beyond a tightly bounded transition.

The common validator should not declare success merely because the registrar field changed. It should verify dependent security state or record that hosted RPKI was deliberately excluded from the switch. The holder needs a preview of which entities will remain, change or expire.

Networks still choose validation policy. Portability cannot guarantee that every route remains accepted. It can guarantee that the institutional move does not accidentally revoke or duplicate authority through a known transition defect. A separate security incident path should freeze destructive changes while allowing safe restoration.

Routing autonomy remains outside registrar competition

A registrar should not promise preferred routing as part of recognizing a resource. It can provide monitoring, alerts, route-object support and hosted RPKI, but it does not own the routing decisions of autonomous networks. Allowing registrars to compete by declaring their customers' routes globally valid would recreate plural authority at the routing layer.

The resource record states recognized allocation and related registration facts. A ROA states holder authorization of an origin AS within the RPKI architecture. Neither compels every network to carry the route. Network operators choose peers, filters, local preference, validation policy and incident response.

This separation protects competition. Providers can improve tools without selling exemption from global uniqueness or security rules. Holders can change registrar without renegotiating every BGP relationship. Routing disputes can be investigated using registration evidence without turning the registrar into a universal traffic authority.

It also limits liability honestly. A registrar is responsible for the instructions, records and credentials it controls. It is not responsible for an unrelated route leak merely because it serves the holder. The common layer is responsible for uniqueness and accepted state, not global reachability.

Cross-regional portability must preserve top-level coherence

A network can operate across regions and may have relationships with multiple RIRs. A portable market may allow a qualified registrar in one jurisdiction to serve a holder whose resources originate in another regional allocation history. That can improve service but complicates authority.

The resource should retain its allocation provenance and applicable policy. Changing registrar should not erase the originating RIR, convert legacy status or create a new regional allocation. The common validator must know which rules govern a holder change, transfer or dispute even when the retail provider is elsewhere.

Cross-regional portability also raises legal questions about evidence, sanctions, court orders, privacy and remedies. Providers should disclose governing terms and maintain a representative capable of receiving valid notices. The holder should not be forced into a distant forum merely because the common coordinator selected it secretly.

IANA-linked top-level information remains the anchor for allocation structure. Competition below that level should not create regional shadow pools. A registrar can serve globally while every accepted resource still traces to one coherent allocation chain.

Provider failure is the decisive test of portability

An exit right that depends on the losing provider is least useful when that provider fails. Insolvency, cyberattack, lost accreditation or organizational paralysis can make credentials and evidence unavailable. A credible NRS market must support emergency succession.

Qualified registrars should deposit current service state, authority proofs and necessary transfer material with an independent continuity custodian in a portable format. The common layer should already know the holder's independent recovery contacts. Regular restoration exercises should prove that another registrar can assume service without cooperation from the failed firm.

The domain sector again offers a comparator. ICANN's transfer arrangements include approved bulk transfers when a registrar loses accreditation or authorization. The IANA Numbering Services SLA also contemplates performance expectations, escalation and a successor operator if the agreement ends. Neither arrangement supplies a complete NRS design, but both reject permanent dependence on one operator.

Emergency succession should preserve holder and resource state. It is not a sale of the failed provider's customers as assets. Holders receive notice and a route to choose another qualified provider after stabilization. The temporary successor has bounded powers and cannot use the emergency to rewrite substantive rights.

The common coordinator must also be replaceable

Retail portability can conceal wholesale captivity. If one common coordinator alone understands the accepted history, controls signing keys and decides which providers qualify, replacing it may be harder than replacing today's registry institutions. The market would have competition at the edge and monopoly at the core.

NRS should make succession an operating requirement. Specifications must be public. Accepted event history must be independently witnessed and continuously exportable. Signing authority should use threshold control across institutions with clear emergency rules. Provider qualification and dispute review should be separate from operation of the common validator.

A successor exercise should occur at regular intervals. An independent team reconstructs current state from replicas, verifies resource and provider mappings, tests RDAP discovery and confirms that no former key can create accepted changes. Results should be published without exposing confidential holder material.

The IANA numbering SLA is relevant because it expressly describes successor selection after non-renewal or termination. It shows that even a top-level coordination service can be framed as replaceable without inviting competing IANA operators to issue simultaneous allocations. Succession preserves one role over time; duplication creates several incompatible roles at once.

Distributed validation is not permission to fork

Resilience may require several validators in different jurisdictions. They can check signatures, witness events and maintain independent copies. This distribution reduces the risk that one server, company or court can silently rewrite history.

The validators must nevertheless follow one acceptance rule. A change becomes current when the required quorum confirms the same event against the same prior version. A validator that disagrees can refuse to sign and trigger review. It cannot publish its preferred conflicting allocation as equally valid while remaining part of the system.

This distinction separates fault tolerance from plural sovereignty. A quorum can survive failure and expose dissent. A fork asks users to choose which branch defines the holder. For unique Internet numbers, routine forks are not a governance feature; they are loss of coordination.

Emergency recovery should therefore prefer pause and review over divergent acceptance. If validators cannot reach the required threshold, non-essential changes stop while existing state remains available. The regime should define a transparent route for replacing failed validators and resolving deadlock. Availability matters, but accepting contradictory transfers to preserve throughput would sacrifice the very asset being protected.

Qualification should open entry without selling authority

Registrar qualification should be objective, proportionate and reviewable. Requirements can cover legal identity, technical interoperability, security, continuity, evidence handling, insurance, staff competence and acceptance of common duties. Entry should not depend on political friendship or an incumbent's commercial discretion.

Requirements should scale with service. A thin registrar need not operate hosted RPKI. A provider that does offer signing must meet the higher security standard. Small providers can use shared compliant infrastructure if responsibility remains clear. This supports diversity without reducing core safeguards.

Fees for access to the common layer should be published and non-discriminatory. A coordinator should not subsidize its own registrar or charge rivals based on their customers' resource value. Cost-based common fees and separately priced retail services make cross-subsidy visible.

Qualification decisions need reasons and independent appeal. Denial can exclude a competitor from the market. The reviewer should be able to inspect confidential security evidence while publishing a safe explanation. Periodic renewal can ensure continuing capability, but it should not become a loyalty test.

Common rules should be a floor, not a retail script

Competition requires shared rules for the acts that affect everyone. Identity authority, one current holder, resource versioning, transfer authentication, deadlines, holds, evidence retention, RDAP consistency, reverse DNS continuity, RPKI transition and review cannot vary so radically that providers create incompatible states.

The floor should remain narrow. Registrars can choose interfaces, support models, prices, additional security, languages and optional services. They can compete by exceeding minimum response times or offering stronger insurance. They cannot waive the holder's portability right or sell a shortcut around dispute rules.

Policy authority over the floor needs legitimacy. Holders, operators, registrars, security users and affected public institutions should have defined representation. Changes should include evidence, reasons, transition periods and review. A common rule is not legitimate merely because interoperability requires some rule.

The distinction between floor and script prevents two failures. Too little common policy produces contradictory authority. Too much common policy turns every registrar into an identical agent of a central institution. The NRS objective is coherent truth with diverse service.

Prices should reveal which layer earns the fee

Current registry fees often combine policy, membership, registration, public services, security and institutional overhead. A competitive model should separate common coordination charges from retail registrar charges and optional services.

The holder can then compare providers. The common fee supports validation, authoritative publication, continuity and review. The registrar fee supports account service, evidence care and holder assistance. Hosted RPKI, reverse DNS management, monitoring and premium support are separate where feasible.

Fee separation discourages coercive bundles. A registrar should not make base registration portability conditional on buying its security platform. The common coordinator should not use mandatory fees to subsidize a preferred retail provider. Public accounts should show cost allocation and related-party transactions.

IPv4 scarcity makes transparency important. Charging a percentage of transfer value may align fees with ability to pay, but it can also turn the coordinator into a rent collector whose revenue grows with scarcity. A cost, risk and public-interest justification is needed. Provider competition should lower service cost without auctioning the legitimacy of the number record.

Performance measures must test exit, not just enrollment

A market with many qualified registrars can still be locked if switches fail. NRS should measure completed portability, not provider count alone. Metrics should include initiation-to-commit time, credential-release time, objection rate, objection success, abandoned requests, emergency transfers, dependent-service failures and restoration time.

Results should be broken down by provider and resource complexity without exposing customers. A high rejection rate may reflect attempted fraud, poor guidance or strategic obstruction; reasons matter. Independent audits should sample cases and test whether stated grounds match evidence.

Continuity measures should include RDAP consistency, reverse DNS preservation, RPKI validity and unauthorized old-provider actions after commit. The common layer should report stale replicas and quorum failures. Provider failure exercises should measure actual recovery, not the existence of a plan.

Customer surveys can add context but cannot replace event evidence. A large incumbent may receive high satisfaction because trapped holders have learned not to attempt exit. Demonstrated switching disciplines the market more directly.

Liability should follow the actor that controls the failed step

Portability will fail if every actor points elsewhere. The gaining registrar controls authentication and submission. The losing registrar controls timely release of specified material and valid objections. The common validator controls serialization, final commit and retirement of old authority. Optional security providers control their dependent services.

Contracts should assign liability accordingly. An unauthorized request accepted because the gaining registrar ignored required identity checks belongs primarily to that registrar, though the common layer may share responsibility if it ignored an independent contradiction. A valid request blocked by an invented fee dispute belongs to the losing provider. A duplicate current state belongs to the common coordinator.

The European communications regime's compensation principle for switching delay and abuse is useful here. Simple, proven delay can receive an automatic remedy. High-consequence loss receives function-specific review. Restoration duties remain outside monetary caps.

This allocation improves incentives. Each actor invests in the controls it owns rather than buying a broad disclaimer. It also protects competition: a new entrant is not forced to insure failures at the common layer, while the coordinator cannot externalize its unique risk onto small registrars.

Competition law should favor interoperability over fragmentation

When an essential coordination layer excludes rivals, a court or regulator may face a difficult remedy. Ordering duplicate allocation would be destructive. Requiring access on non-discriminatory terms, portability, published interfaces, reasoned qualification and independent review can open the market while preserving uniqueness.

Structural separation may also be necessary if the common coordinator competes at retail and repeatedly favors itself. Accounting separation, equal technical access and governance controls are weaker than full separation but easier to implement. The remedy should match proven conduct and technical risk.

The objective is not state management of every registrar decision. It is to prevent control of an indispensable validation layer from becoming a private veto over service competition. Open entry plus one state is more pro-competitive than rival roots whose users must absorb coordination failure.

Competition authorities should also examine concentration among vendors. Ten registrars using the same identity, cloud and key-custody provider may not create meaningful resilience. Portability tests should include common dependencies and the ability to move away from them.

Public-sector continuity needs a portability priority without a privilege market

Governments, hospitals, emergency services, universities and critical utilities may depend on number resources. A failed switch can have public consequences. NRS should ensure rapid restoration and emergency support without creating a class of holders that can override ordinary authority merely by claiming importance.

Public-sector operators can pre-register continuity contacts, test recovery and choose enhanced service. Emergency criteria should focus on demonstrated operational impact and immediate risk. The common record should not change holder or allocation standards based on political influence.

During provider failure, stabilization may prioritize services with direct human impact. The priority should concern restoration order, not ownership. Every action should be recorded and reviewed. Other holders retain their rights and receive transparent communication.

This balance matters for institutional legitimacy. A portability system earns public confidence by preserving essential networks, but it loses confidence if emergency status becomes a route to favored allocations or bypassed evidence.

A staged pilot can test competition without risking the global state

NRS should not begin by moving the largest or most security-dependent portfolios. A pilot can involve volunteer holders, a limited number of qualified registrars and resource records whose dependencies are well understood. The common validator should run alongside the existing authoritative arrangement until results are reconciled.

The pilot should test ordinary switches, failed authentication, incumbent silence, disputed authority, registrar insolvency, RDAP updates, reverse DNS preservation, hosted RPKI transition and rollback. Independent observers should verify that no test creates a second operational allocation.

Success criteria include exact state convergence, bounded switching time, no accepted stale instruction, effective notices, safe recovery and complete event evidence. The pilot should publish failures and corrections. Expanding volume before these conditions hold would convert political ambition into operational risk.

Parallel observation is different from parallel authority. During the pilot, a candidate coordinator can calculate and witness proposed outcomes without becoming the source networks and users rely on. Authority changes only after a formal cutover with a tested rollback and clear recognition.

Scenario one: a clean registrar switch

A regional network holds a prefix under an established allocation. It wants support in another language and stronger account recovery. The chosen registrar verifies two authorized officers and submits a provider-change instruction bound to the current resource version.

The losing registrar receives notice, finds no dispute and preserves its evidence. The common validator checks authority, confirms that holder and resource are unchanged, commits the gaining registrar at the chosen time and retires the old provider token. RDAP remains consistent. Reverse DNS stays with the existing operator. The holder controls its own RPKI keys, so no certificate transition is needed.

The network does not renumber or change routes. Its allocation is not reissued. The new registrar begins service, and the former registrar retains only historical and legally required material. This is competition in its cleanest form: service changes; global uniqueness does not.

The former provider's knowledge remains valuable as evidence, but not as current authority. If it later publishes a contradictory claim, the common history exposes that claim as stale.

Scenario two: a disputed sale is hidden inside portability

A broker asks a gaining registrar to move a scarce IPv4 block and names a new company as holder. The request is labeled a provider switch, but the holder identifier and corporate control have changed. The current holder denies authorizing a sale.

The common validator rejects the portability path because provider substitution requires holder continuity. It opens a separate disputed-holder review and preserves the last uncontested state. The incumbent cannot use the dispute to impose unrelated new terms, and the broker cannot obtain recognition from another registrar by shopping for a looser standard.

No duplicate allocation appears. The buyer may present contracts, the current holder may challenge them and a court or independent body may decide under applicable rules. Until then, the public state can show a bounded dispute marker without declaring two owners.

The scenario demonstrates why common rules protect markets. Competition among due-diligence providers is useful. Competition among mutually incompatible findings of current authority is not.

Scenario three: the losing registrar fails mid-switch

A holder initiates a valid move, and the losing registrar suffers a severe outage before sending its response. Under a captivity model, the switch stops indefinitely. Under a portable model, the common layer already has independent holder authority, a pre-switch snapshot and the registrar's continuity deposit.

The response deadline expires. No permitted objection exists in the independently held evidence. After a short security review, the validator commits the new provider, preserves the former provider's last accepted state and sends notices. Optional services are restored according to the holder's recorded choices.

If the outage later proves to be a targeted attack, the event is reviewed. The switch remains valid because authority did not depend on the failed provider's goodwill. If contradictory evidence emerges, an independent stay can preserve state while the merits are examined.

Portability here serves continuity as much as competition. The ability to leave a failed institution is a core property, not a customer convenience.

Scenario four: hosted RPKI requires a bounded overlap

A holder uses the old registrar's hosted RPKI service and wants the gaining registrar to host it after the switch. Existing Route Origin Authorizations support live routes. Immediate revocation before successor publication could make those routes invalid for relying networks.

The transfer plan creates successor certificates and equivalent authorizations under approved authority, publishes them, verifies repository availability and monitors relying-party visibility. Only then does the old provider retire its hosted authority. A short overlap is allowed solely for continuity and cannot be used to create contradictory origin authorizations beyond the approved set.

If verification fails, the registrar switch can either pause or proceed while hosted RPKI temporarily remains under a separately governed service, depending on the holder's pre-approved choice. The system does not silently destroy security material to make the headline deadline.

The example shows why one resource record can support separable services. Portability is stronger when each dependency has an explicit state rather than being trapped inside one provider relationship.

Scenario five: validators disagree

Two validators accept the signatures on a transfer, while a third detects that the request references a stale holder version created by a recent court-ordered change. The required quorum is not reached. Existing state remains current, and no provider gains authority.

The dissenting evidence goes to independent urgent review. If the court change was valid, the request is rejected and the holder must reauthorize under current facts. If the event was misapplied to the wrong resource, the record is corrected and the transfer can be resubmitted.

The validators do not each publish their preferred result. Their disagreement is evidence, not a license to fork. This preserves one current state while making dissent visible and reviewable.

The cost is temporary delay. That cost is preferable to two registrars acting as current authority. Performance metrics should record the delay and reason so deadlock cannot become hidden obstruction.

Institutional legitimacy sits above the technical commit

An ordered event sequence can preserve uniqueness without answering who writes the rules. Technical coherence is necessary but not sufficient. The common policy may determine qualification, evidence, transfer deadlines, holds, liability and public access. Those choices affect holders and providers economically.

NRS should therefore separate rulemaking, operation and review. Registrar and holder representation should be balanced with network, security, public-interest and independent expertise. Voting weight should not be purchasable through address holdings or shell memberships. Changes need reasons, evidence and transition periods.

The common validator should implement accepted rules and report ambiguity rather than invent policy silently. The reviewer should be independent of both operator and dominant registrars. Courts remain available under applicable law.

Portability then becomes part of legitimacy. A holder can leave a service provider without abandoning the number resource. A provider can challenge discriminatory access without creating a rival registry. Exit and voice reinforce each other while uniqueness remains protected.

The NRS competition principle

The principle can be stated in four parts. First, every recognized holder should have an executable right to change qualified registration-service provider. Second, the switch must preserve the resource, holder, allocation history and applicable restraints unless a separately authorized change says otherwise.

Third, all providers must submit consequential changes through a common, verifiable acceptance rule that permits only one current state. Fourth, the common authority must itself be narrow, independently reviewable and operationally replaceable through tested succession rather than challenged through simultaneous rival allocations.

This principle rejects both monopoly fatalism and fragmentation. The existing institution is not technically irreplaceable merely because the resource must remain unique. Nor can competition be created by asking networks to choose among incompatible allocations. The service provider is replaceable; the truth condition is shared.

The result is a market that competes on what providers can improve: security, care, price, language, expertise, continuity and trust. It does not compete on whether the same scarce address block can be sold twice. That boundary is the foundation on which a Number Resource Society can be open without becoming incoherent.

Evidence and analytical limits

RFC 7020 supplies the current system's goals and structural distinction between uniqueness, registration and routing. RFC 9224 supplies authoritative RDAP discovery. RFC 6480 supplies the RPKI allocation and route-origin authorization architecture. These documents do not mandate the proposed NRS registrar market or define its legal status.

The ICANN Transfer Policy, EPP standards, NPAC material, European communications rules and Current Account Switch Service are comparative evidence. Domain names, telephone numbers, bank accounts, IP prefixes and AS numbers differ technically and legally. The article uses the comparators to identify role separation, receiving-provider leadership, shared coordination, deadlines, continuity and remedy; it does not treat any one model as a ready-made number regime.

The proposed common validator, event quorum and continuity arrangements require independent technical and legal testing. No claim is made that a universally recognized cross-RIR provider-portability service already exists. IANA and current RIR recognition cannot be replaced by declaration. Migration would require agreement, interoperability, verified state, lawful authority and demonstrated continuity.

The analysis also distinguishes retail provider competition from substantive allocation and transfer policy. Portability cannot resolve every dispute over legacy status, scarcity, regional authority, sanctions, insolvency or court orders. It can stop those disputes from being used as a general justification for permanent service-provider lock-in or duplicate authoritative allocation.

Sources