Summary
- LACNIC ROA-revocation-risk analysis asks how certificate authority, signing custody, expiration, revocation, notice, cure windows and appealability affect scarce IPv4 markets.
- ROA discontinuity can become customer outage, cloud rejection, transit filtering, bank and public-service risk, lease default pressure and transfer-closing uncertainty.
- A credible regional ledger should treat revocation power as a narrow continuity responsibility, not as a discretionary gatekeeper tool over holders and customers.
A small network in Latin America closes a transfer, leases a block for a new access product, or brings its own addresses into a cloud platform. The commercial work is already done. Contracts have been signed, customer notices have been prepared, a transit provider has accepted a letter of authority, and the engineering team has built valid Route Origin Authorizations so the prefixes can survive the modern Internet's preference for cryptographic route validation. For a few days the arrangement looks like progress: scarce numbers become working capacity, cloud onboarding becomes a routable service, and customers who never think about registries receive the quiet benefit of reachability.
Then a revocation, expiry, signing failure or authority dispute changes the economic character of the same asset. The legal question may still be unresolved. The transfer may still be closing. A fee dispute, identity review, abuse process, corporate reorganisation or competing instruction may still be in an administrative queue. Yet routers and route validators do not wait for commercial finality. If a Route Origin Authorization disappears, expires, or ceases to match the announced origin, a prefix that yesterday looked clean can become operationally suspect. Upstream transit networks may stop accepting it. Cloud platforms may refuse onboarding or withdraw advertisements. Customers may see intermittent failure long before lawyers, brokers, lenders, insurers, regulators or registry staff have agreed what happened.
That is the central economic fact of ROA revocation risk. RPKI was sold to the operational world as a way to improve routing hygiene by attaching cryptographic discipline to origin authorisation. In practice it also turns registry-layer decisions into continuity events. A paper uncertainty becomes running code. A status flag becomes a route filter. A certificate chain becomes a business dependency. When validation is widely deployed by carriers, content platforms and clouds, the authority to sign, suspend, revoke, refuse renewal or allow expiry is not merely clerical. It is a power over the timing of economic harm.
LACNIC is a useful case because the Latin American and Caribbean market contains many of the conditions that make this risk visible. Operators are often smaller, cross-border, dependent on a narrow group of upstreams, exposed to currency and financing pressure, and increasingly pulled into cloud and enterprise procurement systems that treat valid RPKI as a baseline control. A regional provider can hold numbers in one jurisdiction, use transit in another, sell to customers in several more, and face banking, public-service or enterprise clients that understand outage risk far better than they understand address registry mechanics. In that setting, the price of a prefix is not just the price of scarcity. It is the price of continuity under a certificate regime.
The question is not whether origin validation is useful. It is. The question is how markets should price the right to keep routing when a registry, a hosted signer, a transfer counterparty, a cloud provider or an upstream validator becomes the practical gate through which the asset must pass. ROA revocation risk asks whether the registry is a bookkeeper or a gatekeeper; whether holder rights are protected by reviewable process or left to operational discretion; whether cure windows are meaningful in Internet time; whether appealability can matter when packets have already stopped; and whether a scarce number resource can remain financeable when its routing validity can be shocked by events outside the holder's immediate control.
The new continuity premium in numbered assets
IPv4 scarcity has turned number resources into balance-sheet objects. Scarcity affects lease prices, transfer negotiations, bankability, customer acquisition, cloud migration and the ability of a regional operator to grow without waiting for new allocations that no longer exist in the same way. Numbers are still public Internet infrastructure, but they also function as productive capital. They are leased, transferred, pledged informally through commercial reliance, valued in acquisitions, and embedded into customer contracts. The more the market treats address space as an asset, the more it must ask what can interrupt the asset's use.
For many years the main interruption risks were technical and contractual: misconfigured BGP, upstream withdrawal, hijack, registry record errors, unpaid bills, policy non-compliance, or a transfer that failed to close. RPKI changes the ranking. A technically correct BGP announcement can be rejected if the cryptographic object says it should not exist. A lawful or commercially reasonable use of a prefix can be weakened if the ROA has expired, is revoked, or is locked behind a signing relationship that the holder cannot quickly control. The network may still possess the addresses in every practical business sense, yet a growing portion of the Internet may treat the announcement as invalid or untrusted.
That creates a continuity premium. Buyers, lessees, lenders, transit providers and cloud platforms should not price a prefix only by size, reputation, geolocation, routing history or blacklist status. They should price the durability of authorisation. Who can create the ROA? Who can revoke it? What happens if the holder changes control? What if a broker is still listed in some contact field? What if a transfer is signed but not finally reflected in the registry? What if a hosted signing account is suspended during a compliance review? What if a certificate expires on a holiday weekend? These questions sound procedural, but they are economic questions because the answers determine whether the address block remains usable under stress.
In the LACNIC region the premium can be especially sharp because smaller operators often have less redundancy in transit, legal counsel, registry operations and cloud architecture. A large global network can often route around a validation incident, negotiate directly with validators, maintain delegated RPKI expertise, and absorb customer credits. A smaller operator serving enterprises, banks, universities, local governments or public-service systems may not have that luxury. Its customers may experience the event as an outage, not as an administrative dispute. The operator's reputation can suffer even if the underlying issue is corrected quickly. A one-day invalidity can damage a contract renewal more than a month of slow correspondence.
This is why revocation risk is not a narrow RPKI engineering issue. It belongs in the economics of continuity. An address block with fragile signing continuity is less valuable than one with robust signing continuity, even if both are identical in size and route history. The difference may not appear in a registry database, but it appears in contracts, discounts, indemnities, insurance exclusions, cloud onboarding delays and the quiet reluctance of customers to depend on a network whose routes can become disputed at the certificate layer.
LACNIC as a case of institutional concentration
LACNIC is not the only registry exposed to this problem, and the point is not to single it out as unusually defective. The point is that a regional registry serving Latin America and the Caribbean illustrates the institutional concentration created when number administration, certificate authority operations, identity review, transfer processing and member compliance sit close to one another. In such a system, an act framed as administrative maintenance can have the effect of a market intervention because the registry layer is upstream of routability.
Regional registries were designed to keep records, allocate scarce resources, maintain uniqueness and coordinate policy. RPKI adds a machine-enforced credential to that role. A registry or a registry-linked hosted service can become the place where the asset's public routing authority is expressed. The holder may think of the registry account as paperwork. The Internet increasingly treats the signed object as operational truth. That gap between human expectation and machine consequence is the source of institutional power.
The economic concern is not that a registry should have no ability to correct fraud, maintain accuracy or protect the routing system. It plainly needs tools. The concern is that tools built for record integrity can become tools of immediate commercial interruption if they are not constrained by process, notice and review. A disputed transfer, a corporate identity question, a sanctions-like compliance concern, a fee issue, or a demand for documentation may be legitimate subjects for administrative handling. But the moment they affect ROA continuity, they cease to be only administrative. They become a possible shock to customer service, enterprise dependency and capital value.
LACNIC's region makes this visible because a single network may depend on external transit, foreign cloud regions and cross-border clients while operating under local corporate law and local financial constraints. A certificate action taken in one institutional context may produce route rejection in global networks whose validators apply policy automatically. The injury therefore travels faster than the administrative explanation. A prefix can be accepted in one path, rejected in another and inconsistently reachable from customer sites that have no way to understand the registry-level cause.
Institutional concentration also affects bargaining power. If a holder must maintain good standing, prove identity, complete transfer formalities and keep hosted RPKI signing alive through the same institutional channel, then any dispute in that channel can threaten multiple dependencies at once. The registry may not intend to be a gatekeeper. Yet when all roads to clean validation pass through the registry account, the registry is economically positioned as one.
This is why a serious market should distinguish between registry accuracy and registry discretion. Accuracy is the bookkeeper's task. Discretion over continuity is the gatekeeper's temptation. LACNIC, as a case, forces the question: when does a record-maintaining institution cross from recording a holder's authority into controlling the holder's ability to exercise that authority in live routing?
ROA revocation as a continuity shock
A Route Origin Authorization appears technical: a prefix, an origin ASN, a maximum length and a cryptographic signature. Its economic effect is simpler. It tells validators that a route is acceptable or not acceptable under the current certificate chain. When a ROA is created correctly, it can lower hijack risk and increase customer confidence. When it is revoked, expires or fails to match a legitimate announcement, it can convert a business right into a connectivity problem.
The shock is especially severe because validation is not negotiated route by route at the moment of failure. Many networks import RPKI validity into route policy. Some drop invalids. Some de-preference them. Some customers require valid ROAs for procurement or cloud onboarding. Some platforms use validation as part of their own risk controls. The holder cannot assume that a routing dispute will remain local to its upstream. Once the signed object changes, the effect propagates through a distributed validation ecology whose participants act according to their own policies and automation.
This makes timing central. In ordinary commercial disputes, time can be bought. Parties can negotiate, seek an injunction, hold escrow, extend a closing, or continue performance while documentation is cured. In RPKI, time can vanish. If the certificate or ROA state changes before a cure period has practical effect, the market experiences the decision as immediate enforcement. The right to appeal after invalidity has spread is less valuable than the right to be heard before routability is impaired.
The continuity shock also differs from ordinary BGP misconfiguration. A misconfiguration is usually within the network's engineering control or its upstream relationship. A revocation dispute may sit outside the engineering team. The NOC can open tickets, change announcements, or ask a transit provider for help, but it may not be able to reissue a valid ROA if the certificate authority path or hosted signing account is blocked. The engineer faces a legal-administrative dependency expressed as a route-validation symptom. That is a difficult incident category because the people who can fix the legal state and the people who see the packet loss may not share a clock.
For customers, this distinction is irrelevant. A bank branch that cannot reach services, a public-health site that sees intermittent connectivity, an enterprise whose cloud migration stalls, or a regional platform whose users complain about reachability does not care whether the fault is BGP, RPKI, transfer closing or registry review. The supplier promised continuity. The supplier failed. The risk is priced accordingly, either in lost trust, contractual penalties, reduced willingness to renew, or demands for redundant providers.
That is why ROA revocation risk belongs in asset valuation. The asset is not merely the number block. The asset is the number block plus the credible ability to keep it validly authorised under operational stress. A block whose routing validity depends on a fragile administrative path should trade at a discount, even if the discount is rarely stated openly.
Bookkeepers, hosted signers and the right to keep routing
The moral economy of number resources has long depended on a useful fiction: that registries do not own the Internet, but maintain records necessary for its coordination. This fiction is productive because it lets a scarce public resource be administered without turning every registry action into sovereign command. The registry is a bookkeeper of uniqueness, contacts, policy compliance and allocation history. It is not supposed to become a discretionary tollgate over each holder's business model.
RPKI tests that settlement. A bookkeeper who can affect the validity of routes is no longer just correcting a ledger. If the ledger is wired into route filters, a record action can become enforcement. The difference between "we changed the entry" and "your customers cannot reliably reach you" is not philosophical. It is the difference between administration and coercion.
The right at stake is best understood as a right to continuity of use, subject to defined and reviewable exceptions. It is not an absolute right to announce anything. It is not immunity from fraud control, court orders, verified abuse remedies or technical correction. It is the narrower proposition that a recognised holder should not lose the practical ability to route its numbers through opaque, surprise, disproportionate or unreviewable certificate action. The holder's economic dependency deserves process because the registry's technical action can impose immediate harm.
This right is particularly important when the registry also provides hosted signing. Hosted RPKI is convenient and often sensible. Many small operators do not want to run their own certificate authority, manage keys, monitor manifests and understand the operational edge cases of repository publication. Yet convenience concentrates power. If the hosted service is the only practical path for a small holder to maintain ROAs, then suspension or access trouble can become a routed outage risk. A feature intended to democratise security can create a new dependency on the operator of the feature.
The bookkeeper-gatekeeper distinction also helps restrain mandate laundering. A registry may invoke routing security, database quality, abuse prevention or policy compliance to justify interventions. Some interventions will be valid. But a security mandate should not be used to smuggle in discretionary control over commercial disputes, transfer timing, leasing relationships, customer identity or political preference unless the rule is explicit, proportionate, reviewable and tied to a genuine routing-risk problem. Otherwise, the language of security launders a broader power to interrupt business.
For LACNIC and its market, this restraint matters because smaller networks often cannot contest institutional decisions at the same speed as the outage unfolds. A registry's claim that an issue can be appealed later may be formally true and economically insufficient. If the route is invalid today, the customer impact is today. A review right that arrives after the harm is no longer a continuity safeguard; it is a damage narrative.
The choice between hosted and delegated RPKI is often presented as a technical choice. It is also a governance choice. In a delegated model, the holder operates its own certificate authority under the registry's resource certificate chain. It bears the technical burden but preserves more direct control over signing operations. In a hosted model, the registry or its service signs on the holder's behalf. It lowers operational complexity but increases reliance on the institutional account, service availability and policy discretion of the host.
For a large operator with staff, monitoring and established security practice, delegated RPKI may be a rational investment. It creates work, but it also reduces the chance that a registry portal dispute or hosted-service incident will block routine ROA maintenance. For a small network in Latin America or the Caribbean, the calculation is harder. Delegated operations may be costly, unfamiliar or unavailable as a practical matter. Hosted signing may be the only realistic way to participate in origin validation. The result is a class divide in signing autonomy. Those with engineering capital can separate record dependency from signing operations. Those without it accept a managed service that can also become a managed choke point.
This divide has market consequences. A buyer or lessee evaluating address space should ask not only whether valid ROAs exist, but how they are controlled. If the current holder uses hosted signing, can control be transferred cleanly? Is there a documented process to create new ROAs before the old ones expire? Can the buyer maintain overlapping authorisations during a transition? Is the maximum-length policy compatible with the buyer's route design? If a cloud onboarding requires a specific origin ASN, who has authority to create the ROA, and when? These questions affect closing risk as much as legal title or payment escrow.
The cloud dimension is increasingly important. Bring-your-own-IP products turn public-number continuity into a platform prerequisite. A cloud provider may require proof that the customer controls the prefix and may depend on RPKI state before it advertises the block. If registry signing control is delayed, cloud onboarding stalls. If an existing ROA is revoked prematurely, the cloud route may become invalid. If multiple clouds or transit providers depend on slightly different origin arrangements, a single signing mistake can fragment reachability.
Delegation is not a cure-all. A delegated operator can mismanage keys, publish broken manifests, forget renewals or make invalid ROAs. But delegated failure is more clearly an operational risk of the holder. Hosted failure can be a registry-layer risk imposed through institutional dependency. The economic distinction matters because markets price controllable and non-controllable risks differently.
Transfer closing and the dangerous middle
Transfers expose ROA revocation risk at its most awkward point: between commercial agreement and operational finality. A seller, buyer, broker, transit provider and registry may each believe they are performing their role. Yet the routing system needs a clear answer to a question that the transaction has not fully settled: who has authority to authorise origins for the prefix right now?
In traditional asset transfers, closing mechanics are designed to manage this interval. Escrow holds payment. Documents are exchanged. Representations survive closing. Conditions precedent are checked. If a problem appears, the parties delay or unwind. With number resources, there is an additional operational layer. Existing customers may still rely on the seller's origin. The buyer may need to pre-stage ROAs for its origin. A leaseback may run for a transition period. Cloud onboarding may require validation before traffic migrates. Transit providers may require new letters of authority and updated route policy. The registry record may not move at the same speed as the routing plan.
The dangerous middle is created when certificate authority follows one clock and business continuity follows another. If the seller revokes ROAs too early, customers can suffer. If the buyer cannot create ROAs until the registry record changes, migration can stall. If both old and new authorisations are allowed without discipline, hijack or misuse risk can rise. If a dispute freezes all changes, legitimate traffic may become invalid because the existing ROA expires before the dispute is resolved. Every option has risk. The economic task is not to pretend the risk disappears, but to allocate it in advance.
LACNIC's region adds practical frictions. Cross-border transactions may involve different contract languages, tax treatment, currency controls, corporate registries, bank compliance reviews and local counsel. A small operator buying addresses for growth may be exposed to payment delays or documentation demands unrelated to routing. Yet the Internet layer will not distinguish between a banking delay and a malicious origin. If the ROA state fails, validators see a technical condition, not a commercial narrative.
Transfer contracts should therefore treat ROA continuity as a closing deliverable. That means more than saying the seller will "cooperate". It means specifying existing ROAs, expiry dates, required new origins, maximum lengths, hosted or delegated signing control, transition periods, emergency contacts, registry-account prerequisites, cloud-provider requirements, and what happens if administrative approval is delayed. It also means recognising that the seller may owe a duty not to revoke operationally necessary authorisations until defined conditions are met, while the buyer may owe a duty not to announce outside agreed origins or maximum lengths.
The registry's role in this interval should be conservative. It should not encourage ambiguity, but it should also avoid creating avoidable outages by treating every transfer uncertainty as a reason to interrupt existing valid routing. The preferred posture is continuity pending review, unless there is a concrete and urgent routing-security reason to act differently. Scarcity makes the asset valuable, but continuity makes it usable. A transfer regime that protects scarcity while neglecting continuity is incomplete.
Notice, cure windows and appealability in Internet time
Due process sounds legalistic until one remembers that a route filter is an enforcement mechanism. If a registry or hosted signer can revoke, suspend, refuse renewal or let a certificate state deteriorate in response to a dispute, then notice and cure are not niceties. They are the operational buffer between administrative concern and customer outage.
The design problem is that Internet time is compressed. A thirty-day cure period may sound generous in contract law, but it is useless if the ROA expires tomorrow and the holder cannot renew it during the cure. A seven-day notice may sound reasonable unless the relevant staff are in another time zone, the notice is sent to a stale contact, a bank holiday intervenes, the holder's corporate records are under review, or the hosted account requires multi-factor recovery. Cure windows must be measured against the likely route-validation effect, not against the comfort of office procedure.
A meaningful cure window has several properties. It preserves existing routing validity while the holder responds, unless a specific emergency justifies immediate limitation. It identifies the exact certificate, ROA, prefix, origin or account condition at risk. It explains what the holder must do to cure and who can accept the cure. It distinguishes between documentary incompleteness and verified misuse. It provides a channel that reaches operational contacts as well as legal or administrative contacts. It states the earliest time at which route-affecting action may occur. Most importantly, it is reviewable before the harmful action where practical, not only afterwards.
For smaller LACNIC-region operators, these details are not bureaucratic luxury. Many run lean administrative teams. The person who handles registry records may not be the person who handles routing, and neither may be the person negotiating a transfer or cloud migration. An unclear notice can sit in the wrong inbox while validators prepare to turn a paperwork problem into a reachability problem. A cure process that assumes enterprise-scale compliance capacity will punish precisely the networks least able to absorb the shock.
Appealability must be built into this timing. An appeal that does not stay route-affecting action is weak protection unless the case involves urgent verified harm. A review board that meets after the certificate state changes may produce institutional accountability but not continuity. A credible system needs fast interim relief: a way to preserve existing valid ROAs while identity, transfer or compliance questions are reviewed. The point is not to let bad actors exploit delay. The point is to distinguish genuine emergency from administrative impatience.
Markets care about appealability because review changes risk. An asset subject to sudden unreviewable interruption trades differently from an asset protected by transparent process. This is true in electricity concessions, port licences, spectrum rights, payment accounts and number resources. The more essential the asset is to continuous service, the more valuable review becomes.
In ROA revocation, review has three economic functions. First, it reduces error cost. Registries and hosted services can make mistakes: stale records, misunderstood corporate changes, ambiguous transfer instructions, misread abuse reports, portal errors, or automated expiry handling that fails under edge conditions. A review mechanism catches some mistakes before they become outages. Second, it disciplines discretion. Decision-makers act differently when reasons must be stated and examined. Third, it creates priceable expectations. If market participants know the circumstances under which ROAs can be revoked and how quickly an appeal can preserve continuity, they can draft contracts, insurance and operational plans around that knowledge.
There is also a hierarchy of cases. Immediate revocation may be justified where there is clear evidence that a ROA is authorising a hijack, fraudulently obtained resource, compromised account or dangerous mismatch that is actively harming the routing system. But many cases involve documentation deficiencies, identity conflicts, payment disputes, transfer uncertainty, merger paperwork, or unclear authorisation among corporate affiliates. In those cases, the default should favour continuity of previously valid routing while the dispute is examined. The burden should shift when the registry seeks to convert administrative uncertainty into route-affecting action.
For LACNIC-region holders, appealability also has a cross-border dimension. A company may be incorporated in one country, operate in another, use upstreams in a third and serve customers across the region. Registry review must be able to understand corporate evidence that may not fit a single template. It must avoid turning unfamiliar documentation into suspicion by default. It must also avoid privileging those who can hire specialised counsel quickly over those whose evidence is valid but slower to assemble.
Economically, a good appeal system lowers the capital cost of using number resources. It gives buyers confidence that a transfer will not be undone by surprise signing interruption. It gives lenders and insurers a basis for assessing continuity. It gives customers a reason to trust smaller providers. It gives cloud platforms and transit providers a more stable validation environment. The registry may see this as process overhead. The market sees it as reduced volatility.
Cloud, transit and the validator as enforcer
RPKI's economic force comes from adoption by networks that the holder does not control. A prefix can be valid in a registry database and still fail commercially if key transit providers, cloud platforms or large access networks reject it. The validator turns certificate state into route policy. That policy turns registry-layer uncertainty into market consequence.
Transit providers are the first enforcement layer. A regional operator may depend on one or two upstreams for international reach. If those upstreams drop invalid announcements, the operator may lose large parts of the Internet. If they only de-preference invalids, performance may degrade in ways that are harder to diagnose. If one upstream validates strictly and another does not, traffic becomes asymmetric and customers experience inconsistent failure. The operator's ability to explain the incident depends on information that validators may not expose in customer-friendly form.
Cloud platforms are a second enforcement layer. BYOIP arrangements make RPKI continuity part of cloud migration risk. Enterprises want to move workloads without changing address reputation, firewall rules or customer allowlists. A valid ROA can be a prerequisite for the cloud provider to announce the prefix or accept the customer's control claim. If a registry dispute interrupts signing, the cloud project may stop. If the project supports banking, health, government, payments or enterprise SaaS customers, the delay is not an abstract inconvenience. It becomes a business interruption.
There is also a procurement feedback loop. Large customers increasingly ask suppliers to demonstrate routing-security posture. A network that cannot maintain valid ROAs looks less mature. That may be unfair when the cause is a registry-side dispute rather than engineering negligence, but procurement departments rarely parse the difference. They convert technical uncertainty into vendor risk. The result is that ROA continuity affects not only packet forwarding but sales.
Validators also create a problem of invisible discretion. A registry may say it has not "taken down" a network. It merely changed or withheld a certificate object. A transit provider may say it has not adjudicated a legal dispute. It merely applies route policy. A cloud platform may say it has not judged ownership. It merely requires validation. Each actor frames itself as technical and limited. Together they create a chain of enforcement with no single forum responsible for the whole harm.
This fragmentation is why running-code primacy matters. In the Internet, the rule that matters is the one running in routers, validators, provisioning systems and cloud onboarding processes. A legal document that says the holder has rights is weak if the route is rejected. A registry note saying review is pending is weak if the ROA is gone. The economic system must be designed around the fact that running code will often decide first and explain later.
Customer outage and regional asymmetry
The direct party in a ROA dispute may be the resource holder, but the loss falls outward. Customers experience failed sessions, unreachable applications, payment interruptions, VPN instability, broken public-service access, cloud migration delays and reputational harm. The registry-layer decision creates an externality because the institution controlling the certificate state does not directly bear the downstream outage cost.
Externalities are not proof of bad faith. They are structural. A registry optimising for record integrity may underweight customer continuity. A transit provider optimising for route security may underweight the commercial context of a dispute. A cloud provider optimising for onboarding control may underweight a small operator's transfer-clock problem. Each actor may behave rationally within its mandate while the combined system imposes a shock on users who had no role in the administrative issue.
In Latin America and the Caribbean this externality can be socially significant. Smaller operators often provide access, hosting, managed services or connectivity diversity in markets where alternatives are uneven. They may serve local banks, schools, clinics, municipalities, ports, logistics firms, retailers or regional enterprises. If their prefixes become invalid, the harm is not limited to an abstract member. It can affect the local economy's resilience. It can also push customers toward larger global providers, not because those providers are always better, but because they can absorb registry-layer shocks more effectively.
That dynamic has competition consequences. A security framework that is easier for large networks to manage than small networks can entrench scale. If hosted signing dependency creates interruption risk for small holders while larger holders can delegate and professionalise, the market may treat small networks as less reliable even when their engineering is competent. RPKI then improves one dimension of security while quietly increasing concentration pressure.
For registries, the implication is restraint. If a route-affecting action externalises loss onto customers, the institution should adopt a higher threshold, clearer notice and faster review. It should not treat ROA state as an internal compliance lever unless the routing-security benefit outweighs the continuity cost. The Internet's public interest is not served by making hijacks harder while making legitimate customer service easier to interrupt through administrative fragility.
Capital-control risk, scarcity and holder rights
Number resources have become capital facts because scarcity gives them exchange value. But a scarce asset is financeable only when its use can be predicted. If routing validity depends on discretionary certificate control, then the asset carries a form of capital-control risk. The term is deliberately strong. It does not mean that a registry is a central bank or that address holders own numbers like land. It means that an institution with control over the conditions of use can affect whether the scarce resource produces cash flow.
Investors, buyers and lenders price that control. A block whose ROAs can be maintained through clear delegated operations, clean registry status and documented transition rights is worth more than a block whose operational validity depends on an account controlled by a distressed seller, a disputed corporate officer, an unresolved transfer or a registry process with uncertain cure windows. The risk may appear only at the margin, but margins matter in transfers and leases.
Leasing makes the issue sharper. A lessee may build services on addresses it does not permanently control. It may require the lessor to create ROAs authorising the lessee's ASN, or it may use a cloud provider's ASN. If the lessor loses registry access, becomes subject to a dispute, fails to renew ROAs or revokes authorisation after a commercial disagreement, the lessee's customers can suffer. The lessee has a contract claim, but the route may already be invalid. That is capital-control risk through a private counterparty, amplified by registry-layer signing.
Currency and banking conditions can deepen the problem in parts of the LACNIC region. Cross-border payments, compliance checks, foreign-exchange limits or local financial stress can delay transfers and leases. If fee status, payment confirmation or documentary completion affects registry services, then financial friction can become routing friction. The market should be alert to any arrangement in which an inability to move money or satisfy administrative evidence quickly can threaten ROA continuity for operationally clean prefixes.
Capital-control risk also appears in corporate distress. A network may restructure, merge, sell assets, enter insolvency, split from a parent, or dispute control among shareholders. During such events, number resources can be among the most valuable assets. If competing parties seek to control registry accounts or ROAs, the certificate layer becomes a battlefield. A registry that lacks careful interim rules may inadvertently choose winners by preserving one signing state, freezing another, or revoking all. The economically sound posture is to preserve customer continuity where possible while requiring parties to resolve ownership through reviewable channels.
The broader point is that scarcity without continuity is unstable capital. The market can tolerate scarcity because it can be priced. It struggles with discretionary interruption because it cannot be priced without transparent rules. ROA revocation risk therefore demands the same seriousness as title risk, lien risk, regulatory risk or spectrum-licence risk. It is a condition attached to the productive use of a scarce asset.
Some discussions of number resources become confused because they borrow property language too casually. IP addresses are not land. They are not ordinary chattels. They sit inside a coordination system whose value depends on uniqueness, registry accuracy and collective routing discipline. But rejecting crude ownership language does not mean rejecting holder rights. A resource holder can have legitimate expectations of continuity, non-arbitrary treatment, transferability, operational control and review.
ROA revocation risk clarifies which rights matter. The holder needs a right to know who can affect signing continuity. It needs a right to notice before ordinary administrative action impairs valid routing. It needs a right to cure defects without losing customers. It needs a right to fast review when revocation is threatened. It needs a right to transfer or lease with predictable signing transition rules. It needs a right to maintain existing operational authorisations during non-emergency disputes, subject to safeguards. These rights do not convert numbers into land. They make the coordination system investable.
Registry authority also needs definition. A registry should be able to correct fraud, prevent clear misuse, enforce resource policy, respond to valid legal obligations and maintain certificate integrity. But it should explain its actions in categories that markets can understand. Emergency routing harm is one category. Administrative non-compliance is another. Transfer uncertainty is another. Account security is another. Each category should have different effects on ROA continuity. Treating all concerns as grounds for interruption collapses governance into discretion.
The holder-rights frame is also the best way to handle scarcity. When a resource is abundant, interruption is inconvenient. When it is scarce, interruption affects capital allocation. A network that cannot rely on continuity will hesitate to invest in customers, cloud migration, enterprise services or regional expansion. The market will demand higher returns, lower purchase prices or stronger indemnities. Those are rational responses to institutional risk.
LACNIC's region needs a rights framework that protects small and large holders alike without encouraging abuse. The solution is not to weaken RPKI. It is to make RPKI's authority reviewable, proportionate and commercially legible. The stronger the cryptography, the stronger the process around its use must be.
Mandate-laundering restraint and running-code primacy
Routing security is a powerful mandate because few respectable actors want to oppose it. That is exactly why it needs restraint. When a policy tool is wrapped in security language, it can expand beyond its proper scope. The danger is not only overreach by institutions. It is also intellectual laziness by markets that accept any route-affecting action as justified because it occurred under a security banner.
ROA revocation can be necessary. A fraudulent resource claim, compromised account, malicious origin, or clear hijack scenario may require fast action. But many certificate disputes are not emergencies. They involve ambiguity, documentation, timing, contractual conflict or registry hygiene. Treating those cases as routing-security emergencies launders administrative preference through security machinery. It gives a bookkeeper the posture of a guardian and the effect of a gatekeeper.
Mandate-laundering restraint asks a simple question: what specific routing harm is the action preventing, and is the action proportionate to that harm? If the answer is that a document is missing, a transfer is incomplete, a fee is disputed, or a holder's corporate evidence is inconvenient, then immediate ROA interruption may be disproportionate. The registry can preserve the status quo, restrict new risky changes, demand cure, flag the record, or require additional verification without necessarily invalidating existing customer routes.
For LACNIC, the regional context includes diverse legal systems and varying institutional capacity. That diversity makes restraint more important, not less. A registry serving many jurisdictions should avoid turning itself into the first-instance adjudicator of complex private disputes unless routing security genuinely requires it. It should maintain records, require evidence, preserve continuity where safe, and provide review. It should not use certificate power to settle matters that belong in contract, corporate or judicial forums.
Security restraint is also good for security. If holders fear that RPKI adoption gives institutions a new lever over their business, they may resist deployment, use overly broad ROAs, avoid updating records, or maintain fragile workarounds. Trust in the security system depends on confidence that it will not be used opportunistically. A thin, disciplined mandate can produce broader adoption than an expansive one.
Running-code primacy means that the operational implementation of a rule becomes the rule experienced by the market. If validators drop invalids, then invalidity is not a note. It is a service condition. If cloud onboarding requires a valid ROA, then ROA control is not an optional hygiene measure. It is a production dependency. If transfer closing depends on the ability to maintain overlapping authorisations, then signing continuity is not a back-office detail. It is a transactional covenant.
This changes the standard of care. Institutions that operate certificate infrastructure must think like operators of critical market plumbing. They must assume that certificate changes can cause customer harm. They must test expiry handling, notification paths, account recovery, emergency bridges, transfer transitions and dispute freezes against real routing consequences. They must not hide behind the idea that they merely publish data. In a validating Internet, publication is action.
Holders must also adapt. They cannot treat ROAs as set-and-forget paperwork. They need inventories of prefixes, origin ASNs, maximum lengths, expiry dates, signing model, emergency contacts, cloud dependencies and upstream validation policies. They need to know whether their customers have RPKI requirements and whether their transit providers drop invalids. They need contractual protections when leasing or transferring resources. They need to test what happens when a ROA is wrong before a real event forces the test.
But the burden cannot fall only on holders. A market in which every small operator must become a certificate-law expert will become a market tilted toward scale. The institutional layer should make safe behaviour easy and arbitrary interruption difficult. Hosted signing should reduce complexity without erasing holder rights. Delegated signing should be available without becoming a privilege only for large networks. Notices should be intelligible to engineers and executives. Appeals should be fast enough to matter.
The shift from soft records to running code is irreversible. The question is whether the governance around that code matures. If it does not, the region will get a brittle form of security: cryptographically strong, institutionally weak, and economically underpriced until the next outage reveals the hidden leverage in the certificate chain.
Pricing certificate risk and restraint in practice
If ROA revocation risk is real, it should appear in contracts. Transfer agreements should include signing schedules, ROA inventories, expiry representations, transition covenants, emergency cooperation duties and remedies for premature revocation. Lease agreements should define who creates and maintains ROAs, how quickly changes must be made, what happens during disputes, whether authorisations survive non-payment allegations during cure periods, and how downstream customer harm is allocated. Transit contracts should state validation policy and incident contacts. Cloud onboarding documents should identify signing prerequisites before migration dates are promised.
This contractualisation may sound heavy, but the alternative is worse. Without explicit terms, parties discover during an incident that they assumed different things. The seller thought ROAs ended at closing. The buyer thought old authorisations would remain through migration. The lessor thought it could revoke after a payment dispute. The lessee thought customer continuity would be protected during cure. The cloud provider thought registry validation would be routine. The transit provider thought invalid routes would simply be filtered. Each assumption is plausible. Together they create a failure.
Market due diligence should also evolve. A buyer should not be satisfied by a statement that a prefix is "RPKI valid" today. It should examine how validity is produced and how it can fail. Are the ROAs narrow or broad? Do they match actual and planned origins? Are maximum lengths compatible with deaggregation? Are there stale authorisations for old customers? Is signing hosted or delegated? Who controls the account? Are there pending disputes, unpaid fees, corporate changes, transfer locks or identity reviews? Are expiry dates monitored? Is there a tested process for emergency reissuance?
As these practices spread, the market will price certificate risk more accurately. Blocks with clean delegated control, stable registry status and well-drafted transition covenants will command better terms. Blocks dependent on ambiguous hosted access or disputed authority will be discounted. That is not punishment. It is information becoming price.
The practical standard for ROA revocation risk can be stated plainly: preserve legitimate continuity unless immediate route-affecting action is necessary to prevent concrete routing harm. That standard does not solve every case, but it establishes the correct presumption. It treats customers' connectivity as a real interest. It treats registry power as consequential. It treats security as a disciplined mandate rather than a magic word.
For ordinary administrative issues, existing valid ROAs should generally remain in force through a meaningful cure window. If new ROAs would increase risk during a dispute, they can be limited without withdrawing old operational authorisations. If identity is contested, the registry can freeze risky changes while preserving current customer service. If a transfer is pending, bridge authorisations can be maintained under defined conditions. If a hosted account is locked for security reasons, an emergency continuity path should exist for known-good existing routes. If payment or documentation problems arise, the remedy should not jump immediately to route invalidity unless the rules clearly provide for that consequence and the holder has had a practical chance to cure.
For emergency cases, action can be faster, but reasons should still be recorded and review should follow quickly. Emergency authority is most legitimate when narrowly tied to active harm: hijack, compromise, fraudulent authorisation, or a clear technical error causing routing danger. It is least legitimate when used for convenience, leverage or unresolved private disputes. The line will not always be perfect. That is why reviewability matters.
A strong system would also avoid silent expiry as an enforcement method. Letting a certificate or ROA lapse during a known dispute can be as harmful as revocation while appearing more passive. If the institution knows that expiry will interrupt legitimate traffic, it should treat expiry management as a continuity responsibility. Automation should escalate before harm, not after. Notices should reach operational contacts. Temporary renewal should be available where the dispute does not concern active misuse.
Finally, registries should not rely on the argument that validators make independent choices. That is formally true and economically evasive. If the registry's certificate state is designed to be consumed by validators, the registry must accept that its actions have foreseeable routing effects. Responsibility follows foreseeability.
Conclusion: the price of a revocable route
ROA revocation risk reveals a deeper change in Internet economics. Number resources are no longer merely entries in a registry or inputs into BGP. They are scarce operational assets whose value depends on cryptographic authorisation, cloud acceptance, transit validation and customer trust. The authority to revoke, suspend, refuse, delay or let expire that authorisation is therefore an authority over continuity.
LACNIC, viewed as a case rather than a villain, shows why this matters for Latin America and the Caribbean. The region's operators often work across borders, depend on upstream transit, serve customers with low tolerance for outage, and face capital constraints that make continuity shocks harder to absorb. RPKI can strengthen their routing posture, but only if adoption does not introduce a hidden institutional kill switch over legitimate service.
The market should respond by pricing certificate risk. Buyers should examine signing control. Lessees should demand ROA covenants. Cloud customers should test onboarding dependencies. Transit providers should disclose validation behaviour. Insurers should classify registry-layer interruption. Customers should ask whether their provider can survive a ROA dispute. Registries should understand that their certificate actions are not merely clerical.
The governance answer is restraint: bookkeeper before gatekeeper, continuity before administrative convenience, review before irreversible harm where possible, and emergency power limited to genuine routing danger. Holder rights do not require pretending that numbers are land. They require recognising that scarce technical entitlements become capital only when their use is predictable. Due process is not an ornament. It is part of the asset.
The price of a prefix will increasingly include the price of a revocable route. Markets can live with that if the risk is visible, narrow and reviewable. They cannot build resilient regional infrastructure on a certificate chain whose interruption rules are opaque, discretionary or too slow to matter. The next stage of routing security is therefore not only better cryptography or wider validation. It is the institutional discipline to ensure that the code which protects the Internet does not casually interrupt the legitimate economies that depend on it.
Sources and further reading
These references provide the article's public doctrine and background context. They are used for institutional-economic framing, not for adopting any registry or official-sector narrative.
- Lu Heng, all notes index: https://heng.lu/all-notes/
- The Policy Mirror: https://heng.lu/the-policy-mirror/
- The Bill of Rights of Uniqueness Coordination: https://heng.lu/the-bill-of-rights-of-uniqueness-coordination/
- The Multi-Stakeholder Mirage: https://heng.lu/the-multi-stakeholder-mirage-how-the-multi-stakeholder-model-turned-attendance-into-mandate/
- The Registry Continuity Fallacy: https://heng.lu/the-registry-continuity-fallacy-protect-the-ledger-not-the-gatekeeper/
- Running-Code Primacy: https://heng.lu/running-code-primary-the-patch-needed-to-preserve-the-internet-original-design/
- The Poverty Penalty: https://heng.lu/the-poverty-penalty-how-the-rir-model-taxes-the-poor-while-calling-it-equality/
- Sovereignty inversion: https://heng.lu/from-double-extraction-to-sovereignty-inversion-how-nations-lose-sovereign-control-to-rirs-for-us100/
- Registry power and liability: https://heng.lu/on-when-registry-power-detaches-from-liability-why-the-present-rir-coordination-model-cannot-survive-in-its-current-form/
- Number resources are not political property: https://heng.lu/on-internet-number-resources-are-not-political-property/
- Thick RIR governance as double extraction: https://heng.lu/on-regional-internet-registries-thick-governance-turns-uniqueness-into-double-extraction/
- Registries must never become enforcers: https://heng.lu/why-registries-must-never-become-enforcers/
- RIR enforcement creep and IPv4 liquidity: https://heng.lu/on-why-rir-enforcement-creep-is-the-silent-killer-of-ipv4-liquidity-and-why-it-must-be-stopped/
- Cost structure of regional Internet registries: https://heng.lu/on-the-cost-structure-of-regional-internet-registries/
- Decentralising global IP address registration: https://heng.lu/on-decentralising-global-ip-address-registration-with-distributed-ledger-technology/
- Unlocking the hidden value of IPv4: https://heng.lu/unlocking-the-hidden-value-of-ipv4/
- Portability of number resources: https://heng.lu/on-portability-of-number-resources-and-the-icp-2-revision/
- Number Resource Society: https://nrs.help/
- BTW Media: https://btw.media/
- LARUS: https://larus.net/

