Summary
- Joint investors can divide cash flow, appreciation, loss and voting rights without pretending that every investor independently controls the same IPv4 registration. The registry-facing holder should be one eligible legal organization, with the investment agreement governing claims behind it.
- “Indivisible” is an institutional point, not a denial of CIDR. A block can be split into more-specific prefixes where policy, routing and contract permit. But a single live aggregate, registration account and certification chain cannot safely obey contradictory instructions at the same time.
- Economic ownership, registry holdership, network operation and cryptographic authorization are four different powers. A robust arrangement identifies each power, appoints its holder, limits it and records how it moves when an operator fails or investors disagree.
- Joint control is suitable for reserved decisions such as sale, leverage, enlargement of an operator mandate or replacement of the custodian. It is unsuitable for every route change. Packet-time decisions require a bounded operator with pre-authorized discretion and measurable duties.
- Registries should verify the organization authorized to hold and manage the record, not administer the investors' cap table. They need accurate contacts, authority evidence and a reliable dispute channel; they do not need prices, return targets or every limited partner's identity in public Whois or RDAP.
- A dispute protocol should preserve accurate registration and safe routing while isolating the contested power. A payment dispute may stop distributions without deleting a ROA; an operator dispute may suspend new delegations without erasing incident contacts; a credible authority dispute may restrict a transfer without turning an allegation into permanent control.
- Number Resource Society can make this architecture portable through standard control statements, independent attestation, continuity tests and common dispute notation. Its strongest role is to help operators prove who may act, not to become a compulsory investment registrar or another global gatekeeper.
Scarcity makes a financing question look like an ownership question
IPv4 exhaustion changed the commercial setting in which address blocks are acquired and used. A network that needs a substantial block may face a capital expense that it prefers not to bear alone. An infrastructure fund may want exposure to the value of scarce operational capacity without running routers. Several operators may want to pool capital for a shared platform. A seller may retain an economic interest after moving registration to a new vehicle. These bargains raise an ordinary financing question: can several parties share the economics of one useful resource?
They can, but the word “ownership” easily obscures what has actually been divided. Regional registry documents do not present an IPv4 block as a bearer instrument that each investor can possess in proportion to a subscription. ARIN's current Number Resource Policy Manual says that resources under its administration are assigned to organizations, are not “sold” by ARIN, and may be transferred only with express approval under the applicable policy. APNIC's policy describes account holders as custodians rather than owners and says registration does not itself confer ownership. RIPE NCC transfer material speaks of a change in holdership.
The legal character of particular rights can still depend on contract, legacy status and jurisdiction, but the registry relation has its own terms.
That distinction does not make investment unreal. A share in a company is economically valuable even though the shareholder does not personally hold every company asset. A lender can have security and payment rights without operating the borrower's equipment. A joint venturer can have rights to returns and reserved decisions while a lead operator signs third-party contracts. IPv4 financing can use the same separation, provided the documents do not promise an operational power the structure cannot safely deliver.
No public dataset establishes how many IPv4 blocks are financed by several investors, how many sit in special-purpose vehicles or how often joint arrangements fail. Registry transfer logs generally identify ranges and parties, not purchase prices, beneficial interests, side agreements or governance terms. Market announcements are selective. The absence of a denominator matters. Institutional design should respond to a plausible and important structure without pretending it is the dominant global form.
The central problem is therefore not whether capital can be fractional. It is whether the parties can say, with precision, who may cause the authoritative systems around one prefix to change. Money can vote in percentages. A routing incident cannot wait for a cap-table meeting.
A prefix is divisible in address space but singular at the point of instruction
IPv4 blocks are technically divisible on binary boundaries. A /20 can contain sixteen /24s. A holder may route the aggregate, authorize more-specific announcements or, where regional policy and contract permit, transfer or delegate component blocks. It would be wrong to describe an IPv4 prefix as physically indivisible in the way one cannot cut a unique painting into independently useful paintings.
The indivisibility appears at a different point. For any particular registry action, account credential, route announcement, reverse-DNS delegation or RPKI object, the system must receive an instruction that can be attributed and evaluated. Two investors cannot simultaneously direct that the same /20 be transferred to different recipients. Two operators can originate the same prefix, but the resulting multiple-origin state is an operational fact requiring deliberate coordination, not a machine-readable expression of their equity percentages.
A ROA can authorize several origin ASes through separate entities; it does not say which investor won a board vote.
The same prefix may therefore support several authorized actors while still requiring one coherent mandate. “Singular control” need not mean one employee, one router or one ASN. It means one accountable control constitution for each power at each time. The constitution may require dual approval for a transfer, allow either of two incident commanders to activate a pre-approved mitigation ASN, and authorize several engineers to maintain records. What it cannot safely allow is two incompatible claims to final authority with no rule for priority.
This is familiar in other shared infrastructure. Several lenders may finance one data centre, but the electricity system still has an operator. Several shareholders may own an airline, but they do not each issue competing instructions to the same aircraft. The analogy has limits: number resources are identifiers governed by registry agreements and routing practice, not physical plant. Yet the governance lesson travels. Economic plurality requires operational role clarity, not operational anarchy.
The arrangement should define the smallest unit over which an actor has authority. If each investor is entitled to a distinct /24 and policy allows the separation, those subprefixes can receive separate operating mandates. If every investor instead owns a percentage of the whole portfolio, no address can be labelled “the 12 per cent investor's packet.” The investment remains fractional while the operator's mandate applies to the whole defined range.
Four ledgers answer four different questions
A joint IPv4 investment is easiest to understand as four linked ledgers, only one of which is normally public registry data.
The economic ledger states who contributed capital, who receives rent or sale proceeds, how losses are allocated, whether returns are preferred and how the interest may be transferred. It may sit in a shareholder register, partnership schedule, trust instrument or contractual participation agreement. Its entries matter to investors and courts. They do not configure BGP.
The registry ledger states which organization is recognized in relation to the number resource, which contacts may manage records and which agreements and policies apply. In ARIN's database, an Organization Identifier represents a legal organization and associates points of contact and resources. ARIN explains that direct number resources must be associated with an Org ID defined by legal name, address and contacts. That record is more than an address book because linked roles may carry management permission, but it is not a complete statement of beneficial economics.
The operations ledger states who may announce the range, through which autonomous systems and providers, with what traffic-engineering limits, incident duties and customer commitments. BGP's autonomous-system concept assumes a collection of networks under common routing policy administration. The operator may be the registered vehicle, an affiliate, a lessee or a managed-service company. The route does not reveal which relationship applies.
The assurance ledger states who can authorize origins, maintain IRR objects, change reverse DNS, verify contacts and sign instructions. RPKI makes this separation particularly visible. A resource holder close to the certification chain can authorize an origin used by an operating company. A delegated certification arrangement can move signing capability closer to an operator. Neither configuration, by itself, allocates profits or proves a beneficial share.
Governance fails when one ledger is treated as a substitute for all four. Investors point to a cap table as if it grants portal access. A registry contact points to a password as if it owns every economic claim. An operator points to a route as if BGP adjudicates title. A valid ROA is cited as if cryptographic authorization settles the investment agreement. Each item is evidence of a narrower power.
The documents should cross-reference these ledgers without collapsing them. A control schedule can name the registry organization, current operator, authorized origin ASes, certification arrangement and economic decision body. It should also say which source prevails for which question. The cap table governs distributions; the operator mandate governs routine routing; the registry agreement governs registry services; the dispute clause governs contested authority.
The registered vehicle is a control membrane, not an empty nominee
The cleanest structure for many joint investments is a special-purpose legal vehicle eligible to hold the registration and enter the relevant agreement. Investors hold shares, partnership interests or contractual rights in that vehicle. The vehicle appoints an operator and named account administrators. The registry sees one organization; the investors see their economic ledger; the Internet sees coherent contacts and routing authority.
The vehicle must be real enough to carry responsibility. It needs valid formation, governing documents, authorized officers, secure accounts, records, tax and legal capacity appropriate to its jurisdiction, and the ability to answer the registry. A shell whose only human contact works for one investor will not provide neutral custody merely because its name sounds independent. If the operator can unilaterally replace directors and the minority cannot obtain records, the vehicle is operationally the operator wearing a second name.
Nor should the vehicle be described as owning something that the regional agreement expressly characterizes differently. Its constitutional documents can define “resource interests” by reference to the rights, contracts, proceeds and liabilities the parties actually intend. They can allocate economic benefits from authorized use or an approved transfer. They should acknowledge that registry recognition, routability and transfer approval remain subject to external systems. This drafting discipline prevents an investor certificate from promising guaranteed routing or an unconditional registry transfer.
An unincorporated arrangement can also work, especially where one operating entity already holds the range. In that case the lead holder signs the registry agreement and contracts with co-investors. The weakness is exposure: a creditor, insolvency or control change at the lead holder can affect the shared asset position. Investors may have only a claim against the holder rather than a direct path to continuity. The bargain should price that risk rather than hide it.
Direct co-holdership is the most difficult model because many registry systems are organized around one recognized organization for a resource set. Even if local law allows co-ownership of related contractual rights, the registry may not accept several entities as co-registrants with independent vetoes. Forcing a registry field to mirror private legal complexity can reduce accuracy rather than improve it. One accountable vehicle with disclosed authority is usually clearer than a list of names whose powers are undefined.
The registered entity should therefore be a membrane. It converts collective economic decisions into authorized external instructions and brings external obligations back to the investors. A good membrane is transparent to authorized scrutiny, resistant to capture and capable of acting quickly. It is not a fiction inserted to conceal who benefits.
Joint control belongs in the constitution, not in the router console
Joint investors reasonably want protection against unilateral action. They may require unanimous consent to sell the entire portfolio, admit a new investor, borrow against distributions, amend the purpose, appoint a related-party operator or change the governing agreement. IFRS 11's description of joint control is useful as a conceptual reference: joint control exists where decisions about relevant activities require unanimous consent of the parties sharing control.
The accounting standard does not determine registry rights, but it demonstrates that shared control is a designed decision rule rather than a vague statement that everyone is in charge.
The difficulty is deciding which activities deserve that rule. If every new upstream, ROA adjustment or abuse contact requires investor unanimity, a minority investor acquires an outage option. If the operator can sell the range or authorize unrelated origins as “ordinary operations,” investor protection is illusory. The constitution needs a reserved-matters boundary.
Reserved matters should include a transfer of registration, permanent subdivision, material encumbrance, appointment or removal of the custodian, material change to the operating mandate, related-party contracts above a threshold, voluntary return, settlement of a dispute that changes economic rights, and alteration of the voting rules themselves. The list should be short enough to understand and broad enough to prevent value extraction.
Operational matters should sit with the appointed operator inside a written envelope. That envelope can include approved prefixes, origin ASes, upstream categories, maximum route lengths, customer uses, RPKI change limits, reverse-DNS authority, incident actions and spending thresholds. The operator can act without a shareholder poll when an instruction remains inside the envelope. Expansion requires the appropriate reserved approval.
Emergency powers need their own boundary. A route leak, credential compromise or DDoS attack may justify temporary use of a pre-approved mitigation provider, withdrawal of a route or isolation of an account. The operator should record the reason, scope, time and approving persons. An emergency cannot become a silent permanent amendment. Short authority, rapid notice and post-incident review protect both continuity and investors.
Joint control thus operates above operations. It selects and constrains the mandate. The mandate governs the live system. This is not a dilution of investor rights; it is the mechanism that makes a collective investment usable.
One accountable operator can still be plural inside
Calling for one operator does not require dependence on one person. The operator may be a company with a network operations centre, segregated duties and several credentialed staff. It may retain transit, hosting and security providers. It may authorize multiple origin ASes for migration or resilience. Singularity describes accountability, not staffing.
The operating agreement should name the legal operator and identify functional roles: service owner, routing lead, RPKI approver, registry administrator, abuse lead and emergency alternate. Role accounts should be used for public contact where appropriate, while individual login accounts preserve attribution. ARIN's account guidance illustrates the distinction: personal online accounts are private and should not be shared, while points of contact can represent individuals or roles and carry different permissions.
No one credential should silently combine every power. The engineer who can change an IRR object need not be able to initiate a transfer. The director who approves a sale need not hold a production signing key. The fund administrator who calculates distributions should not control reverse DNS. Segregation reduces both fraud and ordinary mistakes.
Redundancy is equally important. At least two qualified individuals should be able to perform continuity-critical tasks, with strong authentication and tested recovery. Backup access should not be an envelope whose contents nobody has verified. A periodic exercise should show that a second person can contact the registry, produce authority evidence, update a permitted entity and restore a compromised account without disclosing credentials to investors generally.
The operator's duty should be measurable. Contact records must remain current. Authorized routes should be monitored. RPKI objects should reflect the approved schedule. Incidents should be reported within defined periods. Changes should carry evidence. Customer promises should not exceed the mandate. Insurance, security and competence requirements may be appropriate to the portfolio's risk.
Removal must be possible without destroying continuity. A replacement clause should identify triggers, voting thresholds, notice, handover material, temporary authority and a neutral person who can act if the incumbent refuses. The incumbent operator cannot have an absolute veto over its own replacement merely because it holds the credentials. Control is credible only when the governing body can move it.
The control matrix should be readable before money moves
A joint investment should not close on a broad statement that the manager will “control the IP addresses.” Before funds move, the parties need a control matrix that converts that phrase into actions.
For registry identity, the matrix names the recognized organization, governing agreement, primary and backup authorized contacts, and evidence required for a legal-name or control change. For transfers, it states who may propose, approve, sign and communicate an instruction, and which approvals are conditions to release of funds. For routing, it lists the operator, allowed origins, upstream authority and route-length boundaries. For RPKI, it records hosted or delegated service, account holders, permitted ROAs, emergency changes and revocation sequence.
For IRR and reverse DNS, it states who creates and maintains entities, which source is authoritative for each purpose, and how stale data is corrected. For abuse, it identifies the reachable operational contact and escalation path. For finance, it identifies bank authority, distributions, reserves and independent reporting. For records, it allocates retention, investor access, privacy and legal-production duties.
Each row should contain five answers: the actor who proposes, the actor who approves, the actor who executes, the evidence produced and the fallback if execution fails. A single name in all five columns is a warning. So is a blank fallback. The matrix need not be public, but the registry-facing parts should be capable of independent verification.
Time belongs in the matrix. Routine ROA changes may have one service target; emergencies another. Registry contact correction should not wait for a quarterly meeting. A proposed sale may require longer notice and a due-diligence period. Operator replacement needs a handover interval, but a compromised operator may require immediate suspension of selected powers.
The matrix also defines negative authority. An investor acting alone may not contact the registry as if it represents the vehicle. A minority protector may block a sale but may not direct routes. An operator may maintain current use but may not pledge expected sale proceeds. A custodian may verify documents but may not choose a purchaser. Stating what each role cannot do prevents later reliance on impressive titles.
This document is not bureaucratic ornament. It is the bridge between the investment agreement and systems that accept discrete instructions. If the parties cannot complete it, they have not resolved control.
Registry records should show authority, not the whole cap table
The registry needs a truthful answer about the organization associated with the range. It needs contacts who can maintain records and respond to operational or security problems. It may need corporate and transaction documents to establish that a requested transfer or name change is authorized. It does not follow that every investor, return preference and side letter belongs in public registration data.
ARIN's database model is instructive. An Org ID represents an organization; POCs carry administrative, technical, abuse, NOC, routing or DNS roles; resource records identify blocks. The design separates a legal organization from functional contacts. It does not purport to be a securities register. RDAP likewise supports entity roles such as registrant, technical, administrative, abuse and network operations centre. These roles can express who performs a function without disclosing why that company receives 30 per cent of cash flow.
The public record for a joint vehicle should identify the registered organization, useful role contacts and the current operational relationship where the applicable system supports it. A public comment or linked statement may say that network operation is delegated to a named organization for a stated range and period. It should not label investors as co-owners if the registry does not recognize that status.
The registry may keep a protected authority declaration. It can identify controlling persons or entities where necessary to verify the holder, meet applicable law, prevent unauthorized changes or resolve a direct authority dispute. Collection should be purpose-specific. A registry is not entitled to demand every passive investor's passport merely because joint capital exists.
Material control changes should trigger a review of authority, not automatic punishment. If a new investor acquires the right to appoint the holder's board or direct a transfer, the registry may need updated evidence about who can bind the organization. If a passive interest changes hands without altering the registered entity or its mandate, the event may be irrelevant to registry accuracy. Applicable corporate, sanctions or reporting law may impose separate duties, but those duties should be identified rather than invented by registry preference.
The result is deliberate asymmetry. Investors receive detailed financial disclosure. The registry receives sufficient authority evidence. The public receives reliable operational contact. None receives every fact merely because another layer needs it.
Subdivision can solve some conflicts and create others
The most intuitive response to joint ownership is to divide the block. Give each investor a subprefix, update registration and let each party operate independently. Sometimes that is the best exit. It converts fractional claims across the whole into distinct mandates over defined ranges.
But subdivision is not frictionless. ARIN's current minimum IPv4 transfer size is /24. Other regions have their own policies and procedures. A portfolio may contain blocks that cannot be divided into the desired proportions on useful CIDR boundaries. A 50-30-20 economic split does not map neatly onto powers of two. A more-specific route may be filtered by networks even when technically valid. Fragmenting an aggregate can increase routing-table entries and reduce the operational value of aggregation.
Existing use can make a clean split harder. Addresses may be assigned across customers without regard to investor shares. Reverse DNS, allowlists, geolocation records, reputation and certificates may attach to individual addresses. Renumbering customers to create investor-specific blocks can cost more than the governance dispute. RPKI and IRR changes must align with the new routing plan.
The parties should therefore distinguish an economic partition from a technical partition. An investor may receive 25 per cent of sale proceeds without being entitled to one quarter of the addresses in kind. If an in-kind exit is permitted, the agreement should specify allocation method, minimum usable unit, valuation adjustment, registry approval, renumbering cost and the possibility that a clean split is unavailable.
Subdivision also does not remove shared dependencies automatically. Two new holders may still use one operator, one transit provider or one certification service. A parent allocation may retain hierarchical controls over a downstream record. The exit plan must trace every control layer rather than stopping when a CIDR calculator produces four blocks.
The strongest arrangement treats partition as one possible remedy, not a guaranteed physical right. Where policy and operations support it, a verified split can end a deadlock. Where they do not, sale, buyout, replacement of the operator or continued shared economics may be more honest.
BGP can carry several origins but cannot count investor votes
BGP distributes reachability information among autonomous systems. RFC 4271 defines an autonomous system around common routing policy administration and describes the path information exchanged between peers. It does not contain fields for beneficial interests, shareholder consents or investment covenants.
A shared portfolio can use one origin ASN controlled by the appointed operator. It can also authorize multiple origins for multihoming, migration, anycast, mitigation or distinct services. A multiple-origin observation is not necessarily an error. Nor does it prove joint ownership. It says that route collectors observed more than one origin for a prefix under the visibility available to them.
Investors should resist using BGP as a voting mechanism. If two factions announce the same prefix through competing operators, the global network does not resolve their legal authority. Path selection varies. Filters differ. Traffic may split unpredictably. Customers experience instability while the parties produce contradictory operational evidence that becomes harder to unwind.
The operating mandate should define allowed origins and the conditions for change. A new origin can require confirmation that the ASN belongs to the approved operator or provider, that transit has accepted the route, that RPKI and IRR data are aligned, and that monitoring is active. Temporary origins need end dates. Unexpected multiple-origin events need an incident path that reaches both the operator and the holder.
Route data remains valuable evidence. It can show whether the approved operating plan was implemented, whether an old operator kept announcing after removal, and whether an emergency provider was used. Yet coverage is incomplete, and an observed origin may belong to transit, managed hosting or mitigation rather than an investor. Conclusions should preserve those alternatives.
The singularity principle is thus compatible with technically plural routing. Several origins can sit inside one approved control envelope. What is unacceptable is plural final authority with no envelope at all.
RPKI reveals why percentages cannot be operational permissions
RPKI ties route-origin authorization to a certification hierarchy based on Internet number resources. RFC 6480 describes that architecture; RFC 9582 defines the current ROA profile. A ROA states that a specified autonomous system is authorized to originate routes for listed prefixes, subject to prefix-length limits. If several ASes are authorized for the same prefix, separate ROAs are used.
Nothing in that entity expresses a 40 per cent investor interest. The signer needs authority in the certification hierarchy, and the entity names origins and ranges. A valid ROA is evidence of origin authorization, not a valuation statement, transfer agreement or proof that every investor consented.
This narrowness is useful. The investment vehicle can retain certification authority while authorizing the operating company's ASN. In a hosted service, approved account users request the entities and the RIR operates the certification service. In a delegated model, a qualified party can operate a subordinate certification authority within the resource hierarchy. The choice changes key custody and execution risk, not the investors' economic shares.
The RPKI schedule should define normal and emergency authority. Routine entities should correspond to the operating plan. Maximum lengths should be no broader than needed. Emergency provider ASNs can be pre-approved contractually and activated only under logged conditions. Deletion at the end of an operator mandate should be coordinated with route withdrawal so the dispute is not externalized to customers.
The party controlling RPKI gains practical leverage. It can make an otherwise intended route Invalid under route-origin validation by deleting or narrowing authorization. Conversely, an operator with delegated signing capability may preserve authorization after investors seek its removal. The agreement must therefore include service targets, independent monitoring, backup authority, revocation rules and evidence retention.
During a financial dispute, the default should be continuity of currently authorized safe routing while the parties isolate the contested money or governance question. RPKI should not become a debt-collection switch. During a genuine credential compromise or unauthorized-origin incident, narrow emergency action may be necessary. The distinction depends on evidence and scope, not on which faction reaches the portal first.
Reverse DNS, IRR and contacts are part of the same control surface
Joint investors often concentrate on the registration and sale right while treating adjacent systems as administrative details. Those details determine whether a replacement operator can actually run the range.
Reverse-DNS delegation can affect mail systems, logging, security tools and customer services. IRR objects can influence prefix filters built by operators. Public routing and abuse contacts determine whether an incident reaches someone able to act. Geofeed and related published data may shape location treatment. None alone proves legal control, but each can create operational dependence.
The control matrix should list these services and the account through which each is maintained. It should specify whether the holder, operator or provider is responsible; how changes are authenticated; and what handover material exists. An operator should not use a personally controlled maintainer entity or email domain that becomes unreachable when the contract ends.
Data consistency should be monitored without assuming every source must say the same thing. The registry holder can differ from the route operator for legitimate reasons. The abuse contact can be a specialist service. The reverse-DNS administrator can be the operator while the vehicle remains registered holder. Accuracy means each role is true, not that one name is copied into every field.
At removal, continuity requires sequencing. Create and verify replacement contacts before deleting old ones. Transfer maintainer authority before withdrawing the incumbent's account. Update route and RPKI evidence around the migration window. Preserve an auditable history so a later complaint can be directed to the party responsible at the relevant time.
The practical value of singular control is most visible here. One accountable operator can coordinate the dependencies. A consortium in which every investor controls a different service without an integration duty may discover that no one can complete a safe change.
Disputes should freeze the contested power, not the entire network
A joint arrangement needs a dispute design before a disagreement occurs. Once a prefix is live, the party holding a credential can create facts faster than lawyers can obtain relief. An investor may threaten a competing transfer. An operator may refuse handover. A custodian may receive contradictory board resolutions. A minority may invoke a veto over an ordinary routing action.
The first rule is classification. Is the dispute about distributions, valuation, reserved-matter approval, identity of directors, operator performance, registry authority, security compromise or legal prohibition? Each category touches different powers. A distribution dispute can be handled through reserve or escrow. It should not automatically suspend abuse response. A credible dispute over transfer authority can justify a temporary restriction on transfer while existing routes and contacts remain stable.
The second rule is attribution. The notice should identify the claimant, authority, affected action, evidence, requested restriction and expiry. An anonymous allegation or broad assertion that “ownership is disputed” should not become an indefinite hold. The decision-maker may preserve a caution while asking for better evidence.
The third rule is minimum scope. Freeze the disputed transaction, credential or mandate change. Maintain accurate public facts and safe operational functions unless those functions are themselves compromised. If a route is unauthorized, action can target that origin or operator. If board authority is contested, two-person approval or a neutral custodian can preserve the current state.
The fourth rule is time. Emergency restrictions should expire unless renewed on stronger evidence. Review dates and escalation forums should be known. A registry, arbitrator or court may have a role depending on the question, but no one forum should be asked to decide matters beyond its competence. A registry can verify whether its recognized organization submitted an instruction; it may not be able to decide a complex shareholder oppression claim.
The fifth rule is reversibility. Logs, signed instructions and prior states should allow correction. A disputed change should not destroy evidence. Where a transfer has not completed, a hold can preserve the position. Where routing must change for security, the response should preserve the record needed for later review.
A dispute-capable arrangement is not one that prevents conflict. It is one that denies either faction the ability to turn unrelated Internet users into leverage.
Deadlock needs a ladder, not a permanent veto
Joint control creates the possibility of deadlock by design. The remedy should be proportionate to the importance of the decision.
The first rung is operational clarification. Many disputes arise because the proposal is labelled too broadly. A request to “change control” may actually be a temporary origin addition already inside the operator's mandate. The control matrix and an independent technical opinion can remove false deadlock.
The second rung is a designated escalation body. Representatives with authority, but not the engineers handling the incident, meet within a short period. They receive the same evidence and must identify the disputed reserved matter. Minutes record positions without publishing commercial details.
The third rung is expert determination for narrow technical or valuation questions. An independent network expert can assess whether a route change is necessary and within the mandate. A valuation expert can determine a buyout price under an agreed method. The expert should not decide broader legal rights merely because technology is involved.
The fourth rung is mediation, arbitration or court relief under the governing agreement and applicable law. Interim relief should be available when credentials, transfer authority or customer continuity face imminent harm. The agreement should address service, forum, confidentiality and recognition across relevant jurisdictions rather than assuming a rapid order will appear wherever needed.
The final rung is exit. A buy-sell mechanism, portfolio sale, partition where feasible or orderly wind-down can end structural deadlock. Trigger prices and funding requirements matter: a shotgun clause can become an expropriation tool when investors have unequal liquidity. A fair exit mechanism accounts for transaction costs, registry conditions and the operational value of keeping a block intact.
Throughout the ladder, routine safe operations continue under the last uncontested mandate unless a security or legal reason requires otherwise. Deadlock over a sale is not a reason to let contacts expire. Continuity is not a victory for the incumbent; it is a temporary protection for customers and value while the defined forum decides.
Insolvency tests whether the separation was real
An arrangement may look balanced until the holder, operator or investor becomes insolvent. Then the distinction between economic claims and operational authority becomes consequential.
If the registered vehicle fails, an insolvency officeholder may gain powers under applicable law over its contracts and assets. The investors' agreement cannot guarantee that every private instruction will prevail. If the operator fails while the vehicle remains solvent, replacement rights and credential custody determine whether service continues. If one investor fails, its economic interest may pass to a creditor or purchaser without automatically changing the operator mandate.
The structure should identify these scenarios separately. It should maintain enough reserve to pay registry and critical service fees. It should prevent the operator from holding all records or keys as security for unpaid invoices. It should require current copies of configurations, authority schedules and account inventories. It should state which contracts can be assigned or terminated and what consent may be required.
Security interests require particular care. A lender may take security over shares, receivables or contractual proceeds. Describing the IPv4 registration itself as freely enforceable collateral may conflict with registry conditions or applicable law. Enforcement documents should acknowledge that any resulting transfer or control change must satisfy the relevant registry requirements. A lender should not discover at default that its supposed remedy cannot be implemented.
Continuity planning cannot displace insolvency law. It can improve the evidence available to the officeholder and reduce avoidable disruption. A neutral custodian can preserve credentials subject to lawful instruction. Pre-agreed operator replacement can keep services alive. Accurate records can distinguish the failing investor from the solvent vehicle.
The ultimate test is whether the arrangement can lose one entity without losing the truth about who may act. If all authority rests in the failed party's personal account, fractional finance has merely multiplied economic claimants around a single point of failure.
Valuation should price control risk rather than assume it away
Two interests with the same percentage of expected proceeds may have different value if one controls the registry account or appoints the operator. Investors should price governance explicitly.
A controlling interest may carry the ability to time a sale, choose counterparties, approve leases, determine reserves and appoint service providers. A minority may have vetoes, information rights or only a passive distribution claim. These differences affect value even when both certificates say 25 per cent. The valuation method should state whether it includes control premiums, minority discounts, transfer restrictions and expected operational costs.
The portfolio itself also has control-sensitive value. An intact aggregate may be worth more operationally than fragmented more-specifics. Clean registry authority, current contacts, valid RPKI, stable routing history and transferable documentation can reduce buyer risk. A block caught in deadlock, with an unreachable holder and disputed origins, may suffer a discount independent of address count.
Costs should be allocated to the parties that create them where practicable. An investor requesting an in-kind partition may bear renumbering and transaction costs, subject to fairness. An operator that fails service levels may bear replacement expense. The vehicle should maintain ordinary reserves for registry, legal, security and continuity duties because these protect all investors.
No article-level evidence supports a universal global price premium for well-governed joint holdings or a universal discount for fractional arrangements. Transaction prices and terms are generally private, and public transfer logs lack the required economic fields. The correct conclusion is directional: ambiguous control creates identifiable risks, but their market price must be measured deal by deal.
Better disclosure can eventually improve evidence. Voluntary reporting of governance features, closing times, disputes and service incidents could show whether particular controls reduce delay or loss. Reports should preserve sample size and selection limits. A portfolio that volunteers data is not representative of every IPv4 transaction.
Governance is therefore part of asset quality without becoming a fabricated index. Investors can evaluate concrete controls now while admitting that the global denominator is unavailable.
Verification should test authority as well as identity
Knowing the name of an investor or director is not enough. Verification asks whether the person can perform the specific action claimed.
For the registered vehicle, evidence may include formation and good-standing records, governing documents, current directors or managers, resolutions, delegated authority and registry account linkage. For the operator, it may include the service agreement, named role holders, ASN control evidence, approved routing schedule and tested published contact points. For a transfer, it includes the approval required under both the investment constitution and the registry relation.
Signatures help but do not answer every question. A digital signature can show that a key produced a statement. It cannot alone prove that the key holder remained a director, that the board approved the action or that the signed document was not superseded. The verification package should link identity, role, scope and time.
Independent attestations can reduce repeated document exposure. A qualified lawyer, corporate service provider, auditor or assurance service may attest that specified approvals were obtained and remain effective as of a date. The recipient must know the attestation's scope and limits. “Ownership verified” is too broad; “the registered vehicle validly appointed Operator X for Prefix Y through Date Z under the reviewed resolutions” is testable.
Operational verification matters too. Send a challenge through the published contact. Confirm that the backup receives it. Compare approved origins with observed routes, while recording collection limits. Check that ROAs match the schedule. Test recovery in a safe environment. Review access logs and remove departed personnel.
Frequency should follow risk. A dormant investment with stable operation may need periodic confirmation and event-driven updates. A portfolio with frequent changes or a live dispute needs closer review. Every check should have a defined purpose; collecting documents without examining authority merely creates a sensitive archive.
Verification closes the gap between formal singularity and practical control. The record may name one vehicle, but assurance should show that its mandate is alive, bounded and capable of execution.
Metrics must preserve the missing denominator
A governance model should be evaluated, but the available evidence does not justify global prevalence claims. Registries publish transfer statistics and registration data, route collectors observe portions of BGP, and RPKI repositories expose signed entities. None reveals the complete population of joint investment agreements or beneficial interests.
A pilot can report its own denominator. It can state the number of participating portfolios, prefixes, investors, operators and regions. It can measure time to verify authority, routine change completion, emergency response, contact success, unexpected-origin incidents, operator replacements, disputes, hold duration and recovery. It can distinguish attempts from completed actions and voluntary reports from independently detected events.
The pilot should not say that a control reduced global disputes when it observed only participating arrangements. It can compare its own periods or matched structures with clear caveats. It should publish failures, withdrawals and unavailable data. A median without the tail can hide the cases in which governance matters most.
Privacy-preserving aggregation is possible. Reports need not disclose investor names, prices or exact portfolios to show how many mandates lacked backups or how long a disputed transfer remained restricted. Small cells and rare events may require suppression to prevent re-identification.
Qualitative evidence remains useful. A completed operator replacement can show that handover controls worked in one case. A failed recovery can expose a design weakness. Neither proves a universal rate. The discipline is to separate a demonstrated mechanism from a population estimate.
This restraint strengthens the case for better institutions. Fractional IPv4 arrangements do not need exaggerated numbers to deserve a coherent control model. A single high-value prefix with contradictory authority can create material harm. Evidence-bounded governance begins with what can be tested and leaves the missing denominator unavailable.
Registries should verify the edge of their mandate
Registries occupy a necessary but limited position. They maintain coherent registration, apply agreements and policies, authenticate account authority, process eligible changes and provide operationally useful data. A joint investment does not require them to become fund administrators.
The registry can require one eligible organization to hold the direct relationship where its model calls for one. It can ask for evidence that the organization authorized a transfer or control change. It can maintain role contacts and record a verified operating party. It can restrict contradictory instructions while authority is genuinely unresolved. It can preserve service and history during a bounded review.
It should not allocate investment profits, approve valuation methods, enforce distribution preferences or decide every shareholder dispute. Nor should it assume that the public registrant is the only economically interested party. Accurate registration can coexist with protected beneficial information and private contracts.
The registry's response to joint investment should be functional. Who is accountable for the record? Who may request this change? Is the instruction within the recognized organization's authority? Is the affected range correctly identified? Does the action meet policy? Is a legal restraint attributable and current? Those questions stay near the registry's competence.
When the answer depends on external law, the registry should identify what evidence it needs and what interim state it will preserve. It can accept a court order, insolvency appointment or verified corporate resolution without claiming to create the underlying right. It should give reasons and a review path appropriate to the service affected.
This boundary protects legitimacy. Investors receive a reliable external ledger without conscripting the ledger keeper into their bargain. Operators receive stable contacts and authority. The public avoids both hidden chaos and unnecessary commercial surveillance.
Number Resource Society can standardize the control statement
Number Resource Society's positive opportunity is to make operator-centred rights legible across institutional boundaries. Its published mission emphasizes registration rights, free enterprise and limiting concentrated registry power. A joint-investment standard can advance those aims if it strengthens proof without creating a compulsory central register of capital.
The core instrument could be a portable control statement. It would identify the prefix, registry-facing holder, appointed operator, permitted origin context, certification arrangement, effective period, approving authority, backup and dispute forum. It would state expressly that the document does not disclose or determine every economic interest, guarantee routability or replace regional policy.
NRS could define assurance levels. A basic level verifies holder and operator attestations. A stronger level reviews the vehicle's authority documents, tests contacts and confirms the control matrix. A continuity level exercises backup access and operator replacement. Results should be signed, dated and scoped rather than expressed as an unqualified seal of ownership.
It could also publish a dispute notation format. The notation would identify the action contested, claimant category, evidence status, interim restriction and review date without exposing confidential submissions. Multiple registries and service providers could understand the same caution while retaining their own legal duties.
Governance of the standard should include investors, operators, registries, security specialists, privacy experts and independent users. No group should be able to redefine an economic claim as routing authority. The format should remain implementable by existing registries, independent assurance providers and operators; adoption should not depend on NRS becoming the sole custodian.
NRS should measure the service honestly. It can report participating portfolios and tested outcomes, not an invented share of the global market. It should publish assurance failures and conflicts of interest. Fees and access rules should not make verification available only to the largest funds.
The constructive promise is modest and important: many investors may stand behind a prefix, yet everyone who depends on it can discover the one mandate that governs a specific action. NRS can protect market freedom by making that mandate portable and contestable.
Capital may be plural; command must be coherent
Joint investment is not inherently incompatible with Internet number stewardship. Scarce infrastructure often attracts pooled capital, and pooled capital can finance networks that one entity could not support alone. The danger begins when an economic percentage is mistaken for an independent operational command.
The durable structure separates layers. One eligible vehicle faces the registry. Investors hold defined economic and constitutional rights behind it. One accountable operator acts inside a bounded mandate. Several people, providers and origin ASes may participate, but their authority comes from the same control constitution. RPKI, IRR, reverse DNS and contacts are assigned rather than assumed.
Reserved matters protect investors without forcing packet-time unanimity. A control matrix turns titles into powers. Verification links identity to role, scope and time. A dispute ladder isolates the contested action, preserves continuity and leads to expert decision or exit. Insolvency and replacement are planned while everyone still cooperates.
The registry maintains the authoritative edge: organization, contacts, eligible changes and applicable policy. It does not need the full cap table. The public needs truthful functional roles, not private return targets. Courts and competent authorities can obtain protected evidence through the appropriate legal route. This layered disclosure is more accurate than either total opacity or indiscriminate publication.
Subdivision remains available where CIDR boundaries, policy and operations permit it. It is not a universal answer. A percentage of proceeds may remain economically precise even when no equivalent block can be separated without loss. The agreement should promise only the rights it can implement.
No complete global dataset reveals the prevalence or performance of these arrangements. That limit should remain visible. Pilots can establish their own denominators and test contact, change, dispute and recovery performance. They cannot manufacture a worldwide rate.
The institutional test is simple. At any moment, for any consequential action, can a registry, operator, investor or reviewer identify who may propose, approve and execute it, what evidence proves the mandate, and what happens if that actor fails?
If the answer is yes, economic interests can divide without dividing the truth.
If the answer is no, fractional ownership has not diversified control. It has merely sold several claims on the same switch.
Sources
- ARIN, Number Resource Policy Manual — current registration, routability, organization, transfer, registered-holder, operational-use and /24 minimum-transfer provisions used to distinguish registry recognition from private economic claims.
- ARIN, Introduction to ARIN's Database — the Org ID, POC, resource and customer model, including differentiated management roles.
- ARIN, Point of Contact Records and Organization Identifiers — current explanation of legal organization identity, public organizational records and private individual account information.
- ARIN, ARIN Account Management — individual account, multifactor authentication and role-POC practices used as evidence for attributable, non-shared access.
- APNIC, Internet Number Resource Policies — current description of account holders as custodians, registration duties, privacy context and the statement that delegation or registration does not confer ownership.
- RIPE NCC, How to Transfer IP Addresses and ASNs — current treatment of a resource transfer as a change in holdership and the evidence expected from participating legal entities.
- RFC 7020, The Internet Numbers Registry System — the hierarchical coordination and unique-registration function of the Internet Numbers Registry System.
- RFC 4271, A Border Gateway Protocol 4 — BGP and autonomous-system foundations; route observations do not encode investment shares or private authority.
- RFC 6480, An Infrastructure to Support Secure Internet Routing — the resource-certification hierarchy used to separate certification authority from economic participation.
- RFC 9582, A Profile for Route Origin Authorizations — the current ROA profile, prefix and origin-AS scope, and use of separate ROAs where more than one AS is authorized.
- RFC 9083, JSON Responses for RDAP — entity roles that can distinguish registrant, administrative, technical, abuse and NOC functions without representing a private cap table.
- IFRS Foundation, IFRS 11 Joint Arrangements — a bounded conceptual comparison for contractually shared control and unanimous consent over relevant activities; it is an accounting standard, not number-resource law.
- Number Resource Society, About Us — NRS's own stated positions on registration rights, operator control and free markets, used to assess institutional fit rather than as independent proof of market performance.
- Number Resource Society, Charter — NRS's public description of accurate registration, bounded registry functions, transparency and accountability.

