Summary

  • A Local Internet Registry is a member and service intermediary, not a general representative elected by all downstream customers that depend on its records, routing support or provider-aggregated address space.
  • RIPE NCC rules give members corporate voting rights and recognise defined End User sponsor relationships, but ordinary provider customers often face registry consequences through private contracts rather than direct RIPE NCC standing.
  • Open policy forums reduce the democratic deficit but do not solve it: time, expertise, notice, language, contract leverage and remedy access still separate affected customers from formal association power.
  • The practical reform is not to give every customer a registry vote. It is to require customer-impact evidence, sponsor mobility, notice duties, direct review for high-consequence harms and clear separation between LIR interest and customer consent.
  • Number Resource Society's future-facing model is relevant only if it turns operator and customer voice into verifiable standing, portability and review, rather than another proxy layer with better rhetoric.

The customer hears about governance as a service incident

A downstream customer rarely experiences registry governance as governance. It experiences it as a failed migration, an unexplained delay in a record update, a change in provider terms, a demand to renumber, a reverse-DNS problem, a route-origin question from an upstream, a compliance questionnaire that asks for registry proof, or a support ticket that the provider describes as "waiting on RIPE." The customer may never have attended a RIPE meeting, read a policy proposal or voted in a General Meeting. Yet the consequence arrives through the address relationship that the Local Internet Registry administers.

The LIR is not a villain in that story. It may be the party that obtained, maintains and supports the resources. It may have paid fees, handled abuse contacts, kept records current and translated registry procedures into something a customer can use. Without intermediaries, the number-resource system would be harder for many customers to navigate. Intermediation reduces transaction costs.

The difficulty is representation. When the LIR votes, participates in policy or negotiates service terms, it acts in its own legal capacity. It may consider customer interests because it is commercially wise, ethically responsible or contractually required. But the vote is not issued by customers. The customer did not choose the LIR as a political agent inside the association; it chose a provider, sponsor or service supplier.

This distinction is easy to lose because LIRs sit between RIPE NCC and the network edge. The institution sees a member. The customer sees a provider. The provider sees both a service contract and a governance position. The same legal relationship cannot automatically answer all three perspectives.

The LIR is an intermediary, not a fiduciary by default

RFC 7020 describes the registry hierarchy in practical terms: Regional Internet Registries serve Local Internet Registries, and LIRs allocate or assign resources to customers and consumers. It also recognises that interests may diverge. That is not a constitutional defect. It is the structure of the system. Intermediaries are necessary because not every end user can or should maintain a direct relationship with every registry function.

But an intermediary is not automatically a fiduciary. A fiduciary relationship would require duties of loyalty, avoidance of conflict and action for another's benefit. LIR membership does not create that general duty to every customer. A provider owes duties found in contract, law and service commitments. It may owe good-faith or consumer duties in some jurisdictions. It does not become the elected representative of every organisation using its address services.

The difference matters when interests diverge. An LIR may support a charging model that is efficient for itself but raises downstream pass-through costs. It may prefer a record policy that reduces administrative burden while making customer portability harder. It may resist a sponsor-change process that weakens customer lock-in. It may support a certification or contact rule that protects its own risk posture but imposes work on customers. None of these positions is inherently abusive. Each may be rational from the LIR's standpoint. The question is whether the resulting decision should be described as customer consent.

The answer should be no unless evidence supports it. Customer consent requires notice, information, choice and a channel able to change the outcome or remedy harm. Ordinary provider contracts may supply some of those elements. Registry voting does not.

End Users have a partial model of directness

RIPE NCC's independent-resource framework is useful because it shows that the system already recognises a category of downstream party with a more specific relationship. End Users of independent resources must have a contractual relationship with a sponsoring LIR or RIPE NCC. Requirements for End User Assignment Agreements include responsibilities for registration data, payment, termination, liability and third-party-right terms. RIPE NCC procedures also allow contractual relationship changes between a sponsoring LIR and an End User.

That framework does not give every End User a corporate vote in RIPE NCC. It does, however, admit that a downstream party can deserve defined procedural protection. The End User is not merely invisible behind the LIR. It has a recognised dependency, a sponsor relationship and, in some circumstances, a path to change sponsor.

This partial model is important for two reasons. First, it disproves the idea that downstream customers must always remain invisible because the registry can deal only with members. The system can recognise specific downstream roles where accuracy and continuity require it. Second, it shows the limits of the current arrangement. Sponsor mobility is not general customer portability. It is bounded by resource type, eligibility, documentation and the ability to find a new sponsoring LIR.

Ordinary provider-aggregated customers usually face a harder position. If they use address space assigned from a provider's allocation, changing provider may require renumbering. The customer cannot simply carry the provider's aggregate elsewhere without breaking aggregation, routing, contract and registry logic. That may be technically and economically reasonable. It still means the customer bears costs that it did not vote on.

Open forums help, but they are not standing

RIPE's policy process is open in ways corporate governance is not. A customer, engineer, consultant or interested operator can read mailing lists, attend meetings, comment on proposals and supply operational evidence. This openness is valuable. It can let affected non-members influence policy more effectively than a formal vote would if their evidence is strong and the community listens.

But openness is not standing. A person who speaks on a mailing list has no guaranteed remedy if ignored. A customer may lack time, language capacity, procedural knowledge or permission from its employer to participate. A small business harmed by a provider's registry choices may not know which forum matters. A public-service customer may rely on contractual escalation rather than community debate. A comment can improve policy, but it does not create a direct right against RIPE NCC or the LIR.

The distinction is not legal pedantry. Institutions often defend proxy structures by pointing to open participation. That defence is partly valid: open forums reduce information asymmetry and allow expertise to surface. It becomes overbroad when open speech is treated as equal to accountable representation. The ability to submit a view is not the same as the ability to demand reasons, preserve continuity or trigger review.

Open forums should therefore be paired with direct customer-impact procedures for high-consequence matters. When a policy or service change predictably affects downstream customers, the institution should ask how those customers were noticed, what evidence was received and what remedy exists if the LIR's interest diverges from theirs.

The LIR's own risk is real

Criticising proxy membership can unfairly erase the provider's risk. The LIR pays fees, signs agreements, maintains data, receives abuse complaints, absorbs customer anger and may face liability if registry obligations are mishandled. It is not a mere messenger. It often carries more direct administrative burden than the customer.

This is why customer representation should not be designed as provider displacement. The LIR has its own legitimate voice. It may understand registry procedure better than customers. It can aggregate customer needs, explain feasibility and prevent every downstream complaint from becoming a registry case. Good intermediation is a public good.

The institutional issue is when the provider's voice is treated as complete. A provider can represent shared interests where incentives align. It cannot be presumed to represent customers where incentives diverge. A charging proposal, sponsor mobility rule, termination procedure or data-validation burden may produce exactly that divergence.

A fair rule would ask the LIR to disclose the customer-impact basis for major positions. Did it consult affected customers? Were customers contractually able to entity? Would the change create renumbering, compliance, migration or outage risks? Are those risks borne by the provider, passed through to customers or shared? The answers would not bind the LIR's vote, but they would discipline claims made on behalf of customers.

Pass-through costs should be visible

Registry charges and administrative burdens often travel downstream. A fee increase may become a customer surcharge. A contact-validation rule may become a support form. A sponsor requirement may become a contract clause. A record-correction delay may become a missed customer deadline. The registry sees one member account; the cost chain may contain many customers.

Pass-through is not inherently improper. Providers must recover costs. Customers benefit when providers maintain accurate records and responsive registry relationships. The problem is opacity. If governance discussions consider only the member's direct cost, they may undercount downstream incidence. A fee that looks modest per LIR can be material for customers if passed through with administrative mark-ups or bundled with migration costs.

Institutions should not attempt to regulate every provider price. They can, however, require impact analysis for decisions likely to be passed through. The analysis should identify whether costs are fixed or usage-based, whether they fall on all customers or a narrow class, whether customers can avoid them by changing provider, and whether a direct sponsor or independent-resource path exists.

This would improve debate. A proposal could still pass because the institutional benefit outweighs pass-through cost. But the decision record would no longer imply that only members were affected. It would show the customer chain that made the member's vote a proxy for broader economic effects.

Renumbering is the hidden sanction

For many provider-aggregated customers, the practical alternative to a bad provider relationship is renumbering. Renumbering may be possible, but it is not frictionless. It can affect firewalls, allowlists, customer documentation, certificates, monitoring, vendor integrations, public-sector approvals, mail reputation, geolocation, routing filters and support scripts. The cost can exceed the monthly service bill by orders of magnitude.

This makes provider choice less disciplinary than it appears. A customer can leave in theory, but the address dependency raises exit cost. The LIR's registry standing, therefore, has leverage beyond ordinary service quality. A governance change that strengthens or weakens sponsor mobility, transfer options or record-correction rights can alter that leverage.

The registry does not have to solve every renumbering cost. It should acknowledge when its structures increase or reduce that cost. Where customers cannot realistically exit without disruption, relying on provider competition as the sole remedy is weak. Where sponsor mobility exists, it should be usable, documented and timed so that a customer can escape a failing intermediary before harm is irreversible.

Renumbering should appear in customer-impact records as an operational cost, not as a vague inconvenience. The record should ask how many classes of customers may need to renumber, what systems are affected, what transition period is available and what evidence supports the estimate.

Notice should follow the dependency, not only the contract

Notice in registry governance often follows the member relationship. The member receives documents, invoices, deadlines and ballots. The customer receives whatever the provider chooses or is required to pass on. That may be adequate for routine matters. It is weak for high-consequence changes that predictably affect downstream continuity.

A dependency-based notice rule would not require RIPE NCC to maintain a public list of every customer behind every LIR. It would require members to classify affected downstream dependencies and certify notice for defined event types. For independent-resource users, direct notice can be easier because the relationship is more visible. For provider-aggregated customers, notice may be through the LIR, but the LIR should have a duty to send it in clear terms.

The notice should name the decision, the possible customer effect, the available channel for evidence and the deadline. It should be early enough for customers to speak to the LIR or submit evidence to an open process. After the decision, customers should receive the transition plan and remedy route.

This is not a demand for mass plebiscites. It is an administrative safeguard. If a customer will bear a predictable cost, the institution should be able to show that the cost was surfaced before the decision rather than discovered after implementation.

Review should be narrow but real

Customer review rights should not let every dissatisfied customer challenge every provider decision at RIPE NCC. That would convert the registry into a general commercial tribunal. The review route should be narrow: standing for affected downstream parties where a registry or LIR action threatens address continuity, record accuracy, sponsor mobility, certification, reverse delegation or other registry-mediated state.

The reviewer should ask limited questions. Was the customer in a recognised affected class? Was notice given? Did the LIR or registry follow the published procedure? Was the customer-impact evidence considered? Is there a temporary continuity remedy that prevents disproportionate harm while the dispute is resolved? The reviewer should not set retail prices, rewrite service contracts or decide unrelated provider disputes.

Remedies should also be bounded. They can include reasons, corrected records, temporary preservation, sponsor-change facilitation, extended transition, or referral to the proper contractual forum. They should not give customers ownership of provider space or let customers bypass aggregation rules without safeguards.

The existence of narrow review would change incentives. LIRs would know that ignoring customer-impact procedure carries cost. Customers would know there is a path other than public complaint. The registry would have a record showing that downstream harm was treated as an institutional fact, not an afterthought.

Proxy membership should be named honestly

The phrase proxy membership is not an accusation. It names a structural fact: one legal member often stands between the registry and many affected downstream users. Sometimes the proxy function is benign and efficient. Sometimes it hides a conflict. The system should be capable of distinguishing those cases.

Honest naming would change public explanations. A decision supported by LIRs could be described as support from the member intermediaries. If customer-impact evidence was collected, the institution could say so. If it was not, the institution should avoid implying that downstream customers consented. That restraint would make legitimacy claims more accurate and harder to attack.

The same naming should guide data collection. The institution should publish, in aggregate, how many members disclose downstream customer exposure, how many sponsor independent resources, how many customer-impact notices were sent for major decisions and how many review requests were resolved. Privacy can be protected while the proxy layer becomes visible.

Once the proxy layer is visible, reform can be proportionate. Some topics need only open forums. Others need notice. A small number need direct review and temporary continuity. The institution can avoid both extremes: ignoring customers because they are not members, or overloading itself by treating every customer as a corporate voter.

Customer contracts should not be treated as a complete remedy

The ordinary answer to downstream harm is contract. If a customer dislikes the provider's registry conduct, the customer can rely on the service agreement, negotiate better terms, seek damages or move elsewhere. This answer is partly correct. Private contracts are the main place where service expectations, support duties, price and liability belong. A registry should not become the forum for every disappointed customer.

But contract is incomplete where the harm concerns public registry state. A damages claim after a failed migration may not restore an address history. A service credit may not repair mail reputation, reverse-DNS continuity, route-origin acceptance or a compliance deadline. A contractual right to terminate may still leave the customer needing to renumber. A reseller contract may identify neither the sponsor nor the registry procedure that controls the problem.

Contract also suffers from information asymmetry. The customer may not know which registry facts matter when it signs. It may not know whether the provider uses provider-aggregated addresses, independent resources, a sponsorship model, leased space or a complex reseller chain. It may not know whether changing provider will require renumbering or whether a sponsor change is possible. The provider may know, but the customer's bargaining power may be small.

The point is not to invalidate contracts. It is to identify the part of the problem contracts cannot solve alone. Where public registry state is the bottleneck, the registry should publish minimum customer-facing facts and require LIRs to pass through critical notices. A contract can then allocate risk against a known institutional background.

The reseller chain makes representation even thinner

The proxy problem deepens when customers buy through resellers, managed-service firms or bundled IT providers rather than directly from the LIR. The customer may never know the LIR's name. The immediate supplier may depend on another network, which depends on an LIR, which maintains the registry relationship. Each layer can be commercially legitimate. Each layer also weakens the evidence that the member vote reflects the customer's interest.

In such chains, the LIR may not have a direct customer relationship with the final affected organisation. It may know only an intermediate partner. The reseller may not follow registry policy closely. The final customer may learn of a registry-related problem only after the chain fails to coordinate. Blaming any single party may be too simple; the institutional design allowed the dependency to become opaque.

A customer-impact procedure should therefore ask about dependency classes rather than named customers alone. Does the member serve final customers directly? Does it support resellers? Are there sponsored end users? Are there public-service or critical-infrastructure customers? Does a proposed change require notice beyond the direct billing account? These questions can be answered in bands and categories without exposing commercial lists.

The reseller chain also affects remedies. A direct review path may need to pass through the immediate supplier first, but high-consequence cases should not be trapped forever in a private chain if registry state is the bottleneck. The registry can require evidence that the chain was used and allow escalation when delay threatens continuity.

The LIR's silence should not erase customer evidence

An LIR may choose not to participate in a policy discussion or General Meeting. That is its right. But if downstream customers are materially affected, their evidence should not disappear because the intermediary stayed silent. Open forums partly solve this because customers can speak directly if they know where to go. The problem is notice and legibility: many customers do not know that a registry decision is pending or that it can affect them.

For high-impact proposals, RIPE NCC or the relevant policy process could invite evidence from affected customer classes even when they are not members. The invitation should not promise a vote. It should promise that operational evidence will be recorded and answered. A small business explaining renumbering cost, a public body explaining procurement constraints, or a cloud customer explaining allowlist dependencies can supply facts that a member ballot misses.

This evidence should be separated from lobbying. The customer need not endorse a candidate or take a constitutional position. It can describe consequence. Decision-makers can then weigh the evidence against registry objectives, member burdens and technical feasibility. If the evidence is rejected, reasons should be given.

The practice would improve the LIR's own position. A provider supporting a proposal could say customer evidence was solicited and considered. A provider opposing a proposal could bring downstream facts into the record without claiming to speak for every customer. The institution would no longer need to infer customer impact from member assertion alone.

Proxy accountability should scale with the decision

Not every registry decision justifies customer procedure. Routine document updates, ordinary meeting administration and low-impact service changes should not trigger a downstream bureaucracy. The burden would be wasteful and could make governance even less usable. Proxy accountability should scale with consequence.

The trigger can be narrow. A customer-impact layer is appropriate when a decision can materially affect address continuity, sponsor mobility, certification, reverse delegation, transferability, record accuracy, termination, fees likely to be passed through, or the ability to change provider without renumbering. Those are the points where the customer behind the LIR may bear a cost that the corporate vote does not measure.

The layer can also be staged. First, the LIR identifies affected classes. Second, notice is sent or certified. Third, evidence is collected. Fourth, reasons address the evidence. Fifth, narrow review is available for procedural failure or disproportionate continuity harm. The same sequence need not be used for every decision; the institution can publish thresholds.

Scaling matters because overbroad reform would backfire. If every customer issue becomes a registry case, LIRs will resist disclosure and customers will drown the institution. A narrow, consequence-based rule is easier to defend and easier to enforce.

Proxy membership is a measurement problem before it is a rights problem

The first reform should be measurement. How many members disclose downstream customer exposure? How many sponsor independent resources? How many customer-impact notices were sent? How many downstream submissions arrived? How many sponsor-change requests were delayed, disputed or completed? How often did customer evidence change implementation timelines?

Without these numbers, rights debates become abstract. Providers will say customers are already represented. Customers will say they are ignored. The registry will say open participation is available. Each claim can be true in some cases and false in others. Measurement shows where the proxy layer is working and where it is not.

The data should be anonymised and aggregate. It should not identify customer lists, reveal security-sensitive dependencies or force LIRs to publish commercial information. It should be enough to show incidence, not confidential detail. A public annual proxy-membership report would make future reform less speculative.

Measurement also supports restraint. If evidence shows that most customer-impact matters are resolved through contracts and sponsor changes with low dispute rates, heavy reform may be unnecessary. If evidence shows recurring hidden costs or failed notice, the case for stronger rules becomes practical rather than ideological.

Sponsorship mobility should be judged by usable time

Sponsor change procedures are often described as available or unavailable. For customers, timing is just as important. A sponsor change that is theoretically possible but takes too long to protect a migration, restore a service, satisfy a bank questionnaire or escape a failing provider may not be an effective remedy. Usable mobility depends on deadlines, evidence demands, cooperation duties and interim continuity.

This is especially important where the LIR relationship has deteriorated. A customer may need documents or authentication from the very provider it is trying to leave. The provider may be slow, insolvent, in dispute or commercially reluctant. If the procedure assumes cooperative conditions, it may fail precisely when most needed. A registry that recognises sponsor mobility should therefore measure how the procedure performs under stress, not only in clean administrative cases.

A practical standard would publish expected timelines, required documents, emergency escalation, refusal reasons, and temporary preservation rules. It would distinguish ordinary sponsor change from urgent continuity change. It would also record anonymised cases where change failed, stalled or required intervention. The entity is not to guarantee instant portability; it is to prevent a nominal remedy from becoming a decorative clause.

Timing data would discipline both sides. Customers could not claim that every delay is unlawful. LIRs could not treat silence as leverage. The registry could identify whether delays arise from customer evidence, sponsor non-cooperation, registry workload or policy ambiguity. The proxy layer becomes governable only when time is visible.

Provider expertise should become evidence, not authority by implication

LIRs often understand number-resource operations better than their customers. That expertise is valuable. It should not be confused with political authority. A provider can explain technical feasibility, aggregation effects, abuse handling, routing consequences and administrative cost. Those explanations should shape decisions. But expertise does not mean the provider's preferred policy is automatically the customer's preference.

The institution can preserve this distinction by asking LIRs to label the basis of their submissions. Is the LIR speaking from its own operating cost, from customer consultations, from observed support tickets, from sponsor-change cases, or from general technical judgment? Each basis has value. Each supports a different claim. A submission based on customer consultation is stronger evidence of downstream concern than a submission based only on provider expectation. A submission based on provider operating cost is still relevant but should be named as such.

This discipline would improve deliberation. Rather than arguing over who "represents" customers, the process would ask what evidence about customers was actually supplied. It would reward LIRs that consult customers and bring concrete cases. It would also protect LIRs from being accused of ignoring customers when they are plainly speaking about their own obligations.

The same approach should apply to opposition. A customer submission should state whether the harm is contractual, technical, financial, timing-related or informational. The registry can then match remedy to problem. Representation becomes a chain of evidence rather than a claim of status.

The public record should show when customers are outside the room

The final safeguard is simple language. When a decision is based on member votes, the record should say members voted. When customer evidence was gathered, the record should say what type of customer evidence was gathered. When no downstream evidence was available, the record should say that too. This prevents a valid member outcome from being described as if all affected users had been present.

Such candour would make institutions stronger, not weaker. A board can still decide that the member vote, technical evidence and service needs justify action. It can still reject customer claims that are unsupported or outside registry responsibility. But it should not claim a customer mandate by implication. The absence of downstream evidence is not fatal in every case; it is a fact to be weighed.

The same rule should govern LIR advocacy. If an LIR says a proposal helps customers, it should identify whether that statement is based on consultation, tickets, contract obligations, migration experience or professional judgment. If it speaks from its own cost, that is legitimate too. The institutional record improves when each voice is labelled accurately.

The discipline is modest. It does not require the LIR to surrender its vote or reveal its customer list. It asks the institution to stop treating an intermediary's lawful vote as automatic proof that all downstream interests were understood. That small evidentiary separation would make proxy membership safer for providers and customers alike.

It would also give good intermediaries a stronger public defence: they could show when they consulted, when they warned, when they escalated and when the remaining dispute was genuinely outside registry responsibility.

The alternative is worse for everyone. Customers suspect that providers are using membership as cover. Providers suspect that customers want registry power without contractual responsibility. The registry is left translating private disputes into public complaints. A measured proxy record would not remove conflict, but it would separate evidence from accusation and make each party's role clear before service continuity is at risk.

A future model must not reproduce the proxy gap

Number Resource Society is relevant because it argues for clearer operator control and alternatives to concentrated registry authority. That is a useful direction only if it faces the proxy problem directly. A new institution can still have providers, sponsors, custodians and customers. It can still allow one intermediary to speak for many affected parties. It can still confuse operational expertise with customer mandate.

The better future model would separate roles from the start. A provider would have provider rights. A direct resource holder would have holder rights. A customer affected by address continuity would have notice and review rights. Operators would have technical-evidence channels. No single role would be allowed to certify all the others without disclosure.

Portability is central. If customers or operators can move registry service relationships without destroying continuity, the proxy problem becomes less severe. Voice and exit reinforce each other. If portability is only rhetorical, proxy membership remains: the intermediary still controls the practical path to the registry.

The test for any reform is therefore concrete. Can an affected customer learn what registry decision affects it? Can it see whether the LIR is speaking for itself or for customers? Can it submit evidence? Can it change sponsor or custodian where appropriate? Can it obtain temporary continuity while a narrow dispute is reviewed? If not, the system has changed labels without changing power.

The customer behind the LIR is not absent

The customer behind an LIR is not part of RIPE NCC's corporate electorate. That fact is administratively useful and legally clear. It should not become a theory that the customer is institutionally absent. The customer is present through contracts, operational dependence, service incidents, pass-through costs and evidence of harm.

A mature registry should be able to hold both truths. The LIR has the vote. The customer may carry the consequence. The LIR may represent customer interests well. It may also diverge from them. Open forums help. They do not replace notice, evidence and review when continuity is at stake.

The practical settlement is not radical. Keep LIR membership. Name it as intermediary membership. Require customer-impact evidence for high-consequence decisions. Strengthen sponsor mobility where it already exists. Build narrow downstream review. Publish aggregate proxy data. Preserve continuity while facts are sorted.

If the LIR speaks for customers, the record should show how it knows. If it speaks only for itself, the institution should say that too. Governance becomes more legitimate when proxy authority is measured rather than assumed.

Directory links

  • RIPE Network Coordination Centre (RIPE NCC)
  • RIPE NCC members and Local Internet Registries
  • Number Resource Society