Summary
- RIPE NCC has a strong duty to keep the registry accurate, reachable and legally usable, but that duty is narrower than a mandate to police every bad act associated with an address holder.
- The enforcement boundary matters because IPv4 scarcity turns registry actions into large economic transfers: a suspension, transfer hold or deregistration warning can change asset value, creditor leverage and network continuity.
- Identity checks, fraud review, contractual qualification, sanctions compliance, court orders, policy implementation and contactability sit inside the legitimate registry perimeter.
- Network abuse, routing mistakes, reputation complaints, service-level failures and commercial disputes usually require contact routing, evidence preservation and external remedies rather than registry punishment.
- The safest economic design is a narrow boundary with written trigger classes, notice, proportional status marking, appeal, reversibility where possible and a bias against turning the ledger into a behavioural tribunal.
A complaint at the registry desk is an economic event
The difficult cases do not arrive as theory. They arrive as a message from a hosting company that says a rival is announcing a disputed prefix. They arrive as a phishing complaint from a brand-protection desk that has already written to an abuse mailbox and received no answer. They arrive as a reseller who says a former customer transferred an IPv4 block by deception, or as a creditor who insists that a member account should be frozen because the address space is the only valuable asset left in a collapsing business. Sometimes they arrive through a public routing incident: a prefix is visible from an unexpected autonomous system, filters are missing, an RPKI record looks stale, and the first instinct is to ask the Regional Internet Registry to "do something".
For RIPE NCC, the first question should not be whether the complaint sounds serious. Many complaints are serious. The first question is what kind of institution is being asked to act. RIPE NCC maintains the registration layer for Internet number resources in Europe, the Middle East and Central Asia. Its public materials describe the RIPE Database as a registry of network and contact information. Its resource-management pages describe transfers as changes in holdership. Its due-diligence procedures describe checks on the existence, validity and representation of the parties receiving resources. Its closure and deregistration document lists failures that can justify termination or deregistration, including incorrect registration, falsified information, fraudulent requests, non-compliance with audits and Dutch court orders. Its support page for spam, hacking and phishing points complainants toward the relevant network operator, not toward a promise that RIPE NCC will punish the network.
That distinction is not administrative tidiness. It is political economy. In a world of abundant addresses, a registry error might be annoying. In a world where IPv4 has become a scarce input, a registry hold can behave like a lien, a freeze or a forced haircut. It can prevent a transfer, cloud title, frighten a lender, alarm upstream providers or push a small operator into insolvency. Even when RIPE NCC never touches packets, never filters a route and never edits a router, its treatment of the record changes the bargaining position of everyone around that record. A vague enforcement boundary therefore changes prices.
The phrase "enforcement boundary" sounds dry, but it defines who bears losses when facts are contested. If a record is false, the registry should correct it. If a member does not exist, cannot be reached, has used fabricated papers or has no valid contractual link to the resource, the registry cannot pretend that the ledger is healthy. If a Dutch court orders an action, compliance is not optional. If sanctions law prevents service to a party, the registry must observe the law. But if two businesses dispute payment, if one network operator accuses another of poor security, if a route leak embarrasses a peer, or if a customer says an abuse desk is indifferent, a registry that turns those complaints into resource penalties becomes something else: a judge of conduct.
The economic harm begins when market actors cannot tell which institution they are dealing with. A ledger institution is meant to reduce transaction costs by making holdership and contactability legible. A behavioural regulator imposes standards of conduct and sanctions breach. A court resolves disputes according to evidence and jurisdiction. A network operator manages traffic. A reputation market prices trust. A registry can support all of these by maintaining reliable records, but it cannot replace them without importing their costs and mistakes. When the boundary blurs, every complaint becomes an option on someone else's address space. That option will be exercised by competitors, creditors, litigants, political actors and frustrated victims of abuse. Some will be right. Some will be wrong. All will know that registry pressure is cheaper than ordinary due process.
The ledger duty is narrow because the resource is irreplaceable
The starting point for a disciplined boundary is a narrow description of the registry duty. RIPE NCC records the allocation, assignment, transfer and contact data attached to Internet number resources. It operates services that help members manage those records. It implements resource policies developed through the RIPE community. It checks that the legal or natural persons in the registry exist, are properly represented and satisfy the relevant requirements. It maintains reverse DNS delegations, registry database entries and certification services connected to resources. It can assist with registry quality, including consistency between records and observed routing. These functions are powerful because they sustain uniqueness and trust at the coordination layer.
They are not the same as owning the economic lives of the resource holders. The registry does not run the networks that use the addresses. It does not normally know the commercial agreements behind every customer assignment, peering dispute, hosting complaint, insolvency proceeding or supplier quarrel. It does not sit at the right evidentiary point to decide whether a compromised server, a spam run or a routing mistake shows bad faith by the holder. It may see symptoms. It may maintain contacts. It may require accurate records. It may preserve the fact that a record is contested. But the farther the issue moves from identity, holdership, policy eligibility and registry accuracy, the weaker the institutional fit becomes.
That institutional fit matters because Internet number resources are not ordinary files in an association database. IPv4 addresses, in particular, are scarce coordination assets. Their value comes from their global uniqueness, their routability and their recognition in registries and routing systems. A holder cannot simply manufacture an equivalent substitute after a mistake. Renumbering can take months, break customers and change contracts. A cloud provider or access network can shift some address use internally, but a small hosting operator, regional ISP or specialist connectivity business often cannot. For such a member, a registry warning or transfer hold is not just a compliance nudge. It is a shock to working capital.
This is why registry maintenance has to be strict and bounded at the same time. Strictness without boundaries becomes arbitrary power. Boundaries without strictness become a dirty ledger. The point is not to make RIPE NCC passive. A passive registry would reward false papers, unreachable contacts, shell companies, hijacked resources and fabricated transfer chains. The point is to define the narrow reasons why registry power may reach the resource record and the reasons why it should not.
A useful distinction is between the condition of the record and the conduct of the holder. The condition of the record includes whether the registered party exists, whether it is correctly named, whether the authorised representative has authority, whether the sponsoring relationship exists, whether the relevant resource entries are maintained correctly, whether required contact attributes work, whether policy prerequisites were satisfied, whether a transfer has valid consent and whether a court or sanctions obligation directly constrains the registry. The conduct of the holder includes how it prices transit, how quickly it answers abuse mail, whether its customers behave badly, whether it misconfigured filters, whether it annoyed a creditor or whether it breached a private supply contract. Some conduct can create record problems; a fraudulent transfer is both conduct and a record defect. But the registry should act on the record defect, not acquire a general licence to punish the conduct.
This distinction preserves the registry's comparative advantage. It has documents, account data, registry history, public records, transfer forms, policy criteria and the ability to contact registered parties. It lacks the discovery powers, adversarial procedures, forensic depth and remedial range of a court. It lacks the packet-level operational role of networks. It lacks the market-facing risk assessment of banks, brokers and counterparties. The clean design is therefore to use registry powers where the registry has unique competence and to refer the rest to institutions that are built for the dispute.
Scarcity turns fuzzy procedure into real money
IPv4 scarcity is the multiplier. It changes the cost of every ambiguous registry action because the resource record is no longer merely a technical entitlement. It is also a balance-sheet item, a financing input, a customer-retention tool and, in many cases, the main scarce asset of an Internet business. The public transfer market has made this visible. RIPE NCC's transfer page says that a transfer changes the holdership of Internet number resources from one party to another. In economic terms, that record change is the moment when a private deal becomes usable at the coordination layer. Anything that delays, clouds or threatens that change affects price.
Suppose a buyer has agreed to acquire a block from a member that also faces abuse complaints. If the complaints concern unreachable abuse contacts or false registration data, RIPE NCC has a ledger issue to address. If the complaints concern the behaviour of downstream customers, the registry link is weaker. A buyer that fears a discretionary registry review will discount the block. A seller under cash pressure may accept that discount. A competitor may understand the effect and raise complaints at the moment of transfer. None of this requires corruption. It only requires uncertainty about the boundary.
The same logic applies to closures. Public closure and deregistration procedures contain staged notices, periods for rectification and consequences for resources. Those stages are valuable because they convert institutional power into predictable time. A member that knows the alleged defect, the deadline, the cure and the consequence can plan. A customer can renumber if it must. A buyer can decide whether the risk is acceptable. An upstream provider can tell the difference between ordinary controversy and upcoming deregistration. Vague enforcement collapses that time structure. If members cannot tell whether an allegation will become a warning, a suspension, a transfer hold or a deregistration path, they price every complaint as a tail risk.
Scarcity also changes incentives for outsiders. When address space has value, the right to trigger doubt is valuable. A creditor may prefer registry pressure to court because it is faster and cheaper. A competitor may prefer an abuse allegation to competition because it can raise compliance costs. A buyer may prefer a complaint to negotiation because it weakens the seller. A former director may prefer a hold to a corporate lawsuit because the registry desk looks more accessible than a judge. A state actor may prefer informal pressure to a formal order. Each may present a plausible public-interest reason. The registry must still ask whether the requested action belongs inside the ledger perimeter.
There is a second-order harm: investment retreats from environments where administrative risk is unpriced. IPv6 deployment does not remove this problem. Many networks still need IPv4 for customers, compatibility, transition services and legacy applications. Operators that invest in route security, clean customer onboarding and registry hygiene should not have to insure against unpredictable enforcement over matters beyond the registry record. If they do, the risk premium falls hardest on smaller holders and new entrants. Large firms can absorb legal correspondence, compliance teams and waiting time. A small network may lose a customer contract if a transfer or update stalls for weeks.
Clear boundaries therefore increase compliance rather than weaken it. Members are more likely to keep records accurate when they know the registry's power is tied to accuracy, contractual standing, policy eligibility and legal compulsion. They are less likely to cooperate when every interaction might open a broad inquiry into business conduct. A registry that is precise can be firm. A registry that is vague becomes both feared and gamed.
The temptation to enforce behaviour is understandable
The case for restraint is not a case for indifference. Network abuse harms victims. Route leaks and hijacks can disrupt traffic. Fraudulent shells can pollute the registry. Sanctions risks are real. Inaccurate contact data makes coordination expensive. If RIPE NCC refuses every plea outside a narrow reading of its duties, the public may see a technical institution hiding behind paperwork while bad networks profit. That political pressure is why enforcement temptation appears.
The temptation has several sources. First, the registry is visible. Victims of abuse often cannot identify a hosting customer, reseller or compromised machine, but they can look up an IP address and find a resource holder. The registry becomes the address book of last resort. Second, the registry is upstream of many private relationships. If RIPE NCC marks a record, freezes a transfer or threatens deregistration, the effect flows to upstream providers, customers and counterparties. Third, the registry has lower activation costs than courts. A complaint email is easier than litigation. Fourth, the public language of "responsibility" can slide from responsibility for records to responsibility for everything that happens behind an address.
There is also an information problem. Many abuse reporters do not understand the difference between a registry, a network operator, a hosting reseller and an end user. They see a public database and assume the database operator can stop the harm. RIPE NCC's public abuse guidance tries to correct this, noting that it allocates blocks and can help find the relevant contact, but is not involved in how addresses are used by users. That sentence is more than a support instruction. It is a boundary statement.
Routing incidents create a different pressure. A visible BGP anomaly can look like theft. Sometimes it is. Sometimes it is a configuration error, a stale route record, a customer leak, a missing ROA, a mistaken import policy or a temporary mitigation. RIPE NCC has tools and services that can expose inconsistency, and assisted registry checks can help members improve records, reverse DNS and routing registry data. But observation is not adjudication. Seeing a mismatch does not automatically prove that the holder has forfeited resources. A registry that treats every routing irregularity as a conduct offence risks punishing operators for the noisy, decentralised reality of interdomain routing.
The hardest pressure comes when the complainant is morally sympathetic. A phishing victim, a regulator facing public harm, or a network suffering repeated attacks may be right that the holder's response is poor. Yet the registry's question remains narrower: is the abuse contact valid and current? Is the responsible party contactable? Are the records false? Was the resource obtained through fraud? Is there a competent order? Is a policy condition breached? If the answer is no, RIPE NCC can facilitate contact, document the issue and point to appropriate channels, but should be reluctant to convert frustration into resource penalties.
This restraint may seem unsatisfying. It is nevertheless cheaper than the alternative. Once the registry becomes a general behavioural gatekeeper, it must define bad conduct, measure evidence, handle defences, compare cases, build appeal rights, face claims of selective enforcement and carry the economic losses from mistakes. That is not a small expansion of support. It is a different institution.
Identity, fraud and contactability sit inside the perimeter
The strongest case for registry action is not abuse; it is identity. A ledger that cannot say who holds a resource, how that holder is represented and how that holder can be reached is not a ledger. RIPE NCC's due-diligence document states that the organisation performs controls before and after registration to keep registration data valid and up to date. It requires evidence that legal persons exist, that natural persons can be identified, and that representatives have authority. These are not optional formalities. They are the basis on which the rest of the system trusts the record.
Fraud is similarly inside the perimeter when it affects registration. If a party used falsified corporate documents, false identity papers, misleading need statements, fabricated network information or unauthorised transfer consent, the registry record is contaminated. Acting on that contamination is not behavioural mission creep. It is ledger repair. The economic purpose is to prevent address space from being laundered through false identity, then sold to good-faith buyers or used to create bargaining leverage against the true holder.
Contactability is also inside the perimeter, but it should be treated carefully. A valid abuse mailbox and responsible contact are registry requirements because they reduce coordination costs. The public closure and deregistration procedure refers to data that must allow RIPE NCC to contact the responsible party within a reasonable time, and to a valid abuse-mailbox attribute when referenced. That gives RIPE NCC a legitimate basis to require correction when contacts are missing, invalid or repeatedly inaccurate. It does not give a blank cheque to punish a holder because the complainant dislikes the quality of the answer. A valid contact can be unhelpful. An unhelpful answer can be commercially or morally unattractive. It is not necessarily a registry defect.
The distinction can be expressed as a practical test. Can RIPE NCC verify the problem using registry facts, contractual documents, account data, policy criteria and direct contact attempts? Can the member cure the defect by correcting records, proving identity, restoring contractual standing, updating contacts or supplying missing evidence? Does the remedy improve the ledger rather than punish unrelated conduct? If yes, the issue is probably inside the perimeter. If the proposed remedy is to take resources away because a third party alleges harmful behaviour, the issue is probably outside unless the behaviour proves fraud, false records, policy breach or a legal obligation binding the registry.
This test also protects the market. Buyers, lenders and operators need confidence that registry records mean something. If false identities can persist indefinitely, address markets become markets for risk. If unreachable holders can ignore records, the cost of coordination rises for everyone. If fraudulent requests are not unwound, the scarcity value of IPv4 rewards deception. Firm due diligence therefore supports liquidity. The problem is not strong identity control. The problem is letting identity control become a vehicle for unrelated accusations.
A narrow identity perimeter should be procedural, not discretionary theatre. RIPE NCC should specify what evidence is required, what defect has been found, what record must be corrected, what deadline applies and what happens if the member cures it. The more the issue turns on external conduct, motive or private facts outside the registry's competence, the more the registry should seek a court order, an arbitral route, a clear policy hook or a limited status note rather than a resource penalty. Identity is a gate. It should not become a trapdoor.
Sanctions and court orders are different from private pressure
Legal compulsion belongs in a different category from private pressure. RIPE NCC is based in the Netherlands and must comply with applicable law. Its public materials include sanctions transparency reports and procedures for handling requests, orders and investigations from law-enforcement authorities. Its closure and deregistration document states that if a Dutch court orders deregistration of specific resources, RIPE NCC must and will comply. Those are not discretionary efforts to shape member behaviour. They are constraints on the registry as a legal person.
The economic boundary here is still important. A sanction or court order is an external legal act with an identifiable authority, scope and challenge path. A private complaint is not. If a bank, competitor, customer or foreign claimant asks RIPE NCC to freeze a record without a binding order, the request may look similar in practical effect, but it is not similar in legitimacy. The registry should be extremely cautious about giving private pressure the same effect as law.
Sanctions also show why transparency matters. A registry serving a region that includes Europe, the Middle East and Central Asia will face geopolitical pressure. Some members operate in jurisdictions under sanctions. Some have owners, directors, customers or counterparties that are sensitive. Compliance screening can create hard cases: a false positive, a beneficial-ownership question, a newly listed party, a delisted party, a resource holder with lawful subsidiaries, or a member that can receive limited services but not others. The boundary should be written in terms of legal obligation and service limitation, not moral condemnation. The registry should explain what action was legally required, what services are affected, what evidence can cure the issue and what remedy exists if the classification is wrong.
Court orders pose a similar design challenge. A court order can require action, but the registry should still map the order to the record with precision. Is the order directed at the holder, the resource, a transfer, a disclosure, a freeze, or a deregistration? Is it from a competent court for RIPE NCC's purposes? Does it require immediate action or preservation of status pending litigation? Does it affect all resources of a member or only a named block? Precision reduces collateral damage. It also limits the incentive for litigants to seek overbroad orders because they know the registry will not expand the order beyond its terms.
Private disputes, by contrast, should normally remain private disputes until translated into a competent legal instrument or a record defect. A buyer who alleges breach of a transfer agreement may have a claim. A creditor who says addresses belong to an estate may have a claim. A former director who says a signature was unauthorised may have a claim. RIPE NCC can preserve evidence, require proof of authority for registry updates, refuse to complete a transfer without clear consent, or observe a court order. It should not decide the underlying ownership fight unless the question is directly a registry qualification issue and the procedure gives the parties a fair path.
The broader economic principle is that legal compulsion should be costly to obtain and clear in scope. That cost filters weak claims. If RIPE NCC offers comparable relief through informal pressure, the filter disappears. The registry then becomes a cheap substitute for litigation, and scarce address space becomes the prize in a race to the registry desk.
Abuse complaints need contact accuracy, not resource punishment
Network abuse is the area where the public most often wants a stronger registry hand. Spam, phishing, malware hosting, scanning and fraud cause immediate harm. The victim sees an IP address, finds a registry record and expects the institution named in the record chain to stop the abuse. RIPE NCC's public support page draws a line: it can help find the relevant network contact, and its role is to ensure that abuse contacts are valid and up to date; the network operator is responsible for handling the report. That is the correct default.
The economics are straightforward. Abuse is usually produced by end users, compromised machines, customers of hosting providers, resellers or criminal infrastructure that moves across networks. The registry often lacks the facts needed to identify the actor, assess the operator's knowledge, judge the adequacy of mitigation, or weigh competing evidence. A resource penalty against the holder may punish the wrong party. It may also create perverse incentives. Operators might hide details, avoid voluntary transparency or reduce service to high-risk customers in ways that harm legitimate users. Complainants might use abuse reports to disrupt competitors.
This does not mean the registry has no role. It can require a working abuse contact. It can check whether the responsible organisation in the record is real and reachable. It can encourage better record hygiene. It can provide tools that point complainants to the relevant operator. It can collect evidence that a member repeatedly maintains invalid contacts. If invalid contact information becomes a registry defect, then registry action is appropriate. But the action should target the defect: update the contact, prove contactability, correct the organisation record, or face consequences tied to inaccurate records. The action should not be framed as punishment for spam unless the spam evidence also proves a registry breach.
This boundary protects victims as well as members. If RIPE NCC promises more than it can deliver, abuse reporters will spend energy in the wrong place. They may delay contacting the operator, hosting provider, registrar, payment intermediary, national cybercrime unit or court. A registry that clearly says "we can help you find and validate the contact; we do not run the network" reduces false expectations and speeds the case to the party that can act.
The hardest cases are repeated non-response. A valid mailbox that never answers is frustrating. Yet non-response is not the same as invalidity. The registry can measure validity: does the mailbox exist, accept mail and correspond to the registered resource? It cannot easily measure adequacy: did the operator investigate, did it act quickly enough, did privacy law limit disclosure, did the report contain useful evidence, did a customer dispute the allegation? Turning adequacy into a registry duty would require a standard of abuse handling across all members and end users. That may be a public policy debate, but it is not a simple extension of registry maintenance.
There is room for a middle category: signalling without punishment. RIPE NCC could, where policy permits and after defined procedure, mark contact-validation status, provide clearer support paths or record that contact data has failed verification. Such signals should be factual, dated, curable and limited to registry data. They should not call a network abusive, nor imply guilt in a private dispute. In a scarce market, even a note can move price. The note should therefore describe the record condition, not the morality of the holder.
Routing incidents should trigger correction, not moral licensing
Routing is tempting because it is visible, technical and close to the resource. A route leak can put traffic in the wrong place. A hijack can be theft in operational form. A mismatch between registry records, RPKI data and BGP announcements can suggest neglect or worse. RIPE NCC has routing-related services and public pages that encourage consistency, including routing registry information, RPKI and assisted registry checks. It can help members find mismatches between records and observed announcements. But the enforcement boundary remains necessary.
BGP is a decentralised system of assertions, filters, trust relationships and mistakes. A prefix may be announced by an unexpected AS because of a customer cone, a reseller relationship, a temporary mitigation, a route server issue, a stale entry, an unauthorised leak, a compromised router or a deliberate hijack. The registry record is one piece of evidence. It is not the whole case. If the registered holder says the announcement is authorised, the registry may still have to check whether the holder is real and contactable. If the holder is unreachable or the records are false, the issue is inside the perimeter. If the holder is reachable and says the route is a commercial arrangement, the registry should be careful not to turn into a routing court.
RPKI sharpens but does not eliminate the problem. A ROA can state which origin AS is authorised for a prefix. A missing, stale or invalid ROA can affect routing decisions by networks that use origin validation. Yet RPKI is a security and routing-authorisation tool, not a complete conduct code. A member may fail to create a ROA because of operational caution. It may create one incorrectly. It may delegate certification. It may be in transition. RIPE policy has also continued to evolve around RPKI functions, including accepted changes for revoking persistently non-functional delegated certification authorities after defined notice. That kind of policy-linked revocation is different from ad hoc punishment for a routing incident. It has a specific technical trigger and procedure.
The registry's proper role in routing incidents is evidentiary and corrective. It can verify whether the resource holder is the party in the registry. It can help correct route records, maintainers, reverse DNS and contact data. It can offer tools for consistency checks. It can notify the holder of observed anomalies. It can cooperate when a competent authority or valid procedure requires action. It can preserve a record that an update was requested or rejected. It should not automatically decide that an observed BGP event proves forfeiture of resources.
An economic reason reinforces this restraint. Routing disputes are often time-sensitive. If a registry penalty becomes a standard remedy, parties will seek registry intervention during live incidents to gain operational leverage. A complainant may ask for a transfer hold while a hijack allegation is still contested. A network may ask for a warning note that scares peers away from accepting the route. A seller may face a discounted offer because a buyer says the routing history is risky. These outcomes may be justified in clear fraud cases, but not as routine responses to ambiguous incidents.
The better boundary is a ladder. First, establish contactability and record accuracy. Second, notify the holder of the observed inconsistency. Third, provide or point to tools for correction. Fourth, if the holder is unreachable, records are false, resources were obtained fraudulently or a defined policy condition is breached, move into registry enforcement. Fifth, if the dispute is about whether a commercial routing arrangement is authorised, require the parties to resolve it through contract, arbitration or court. The ladder preserves the registry's role without making it the licensor of all routing behaviour.
Transfers and closures are where discretion moves prices
The economic force of the enforcement boundary is clearest at transfer and closure. Transfers are the market-facing edge of the registry. A transfer does not merely update an administrative field; it enables scarce resources to change recognised holdership. RIPE NCC's public transfer page says that it authorises and facilitates transfers and that a transfer changes holdership from one party to another. Closure and deregistration procedures, by contrast, define the path by which membership or resources can lose registry standing. Together these functions shape liquidity, credit and continuity.
Any discretion around these points should therefore be treated as price-sensitive. A transfer delay can change a deal. A request for extra documents can reveal distress. A suspicion note can lead a buyer to renegotiate. A closure warning can trigger customer departures. A resource under possible deregistration may be unusable as collateral. A member whose transfer is blocked may lose the cash needed to fix the underlying problem. Because these effects are predictable, parties will try to use them strategically.
Consider a commercial dispute between a seller and a broker. The broker says it is owed a commission and asks RIPE NCC not to process a transfer until the invoice is paid. That is not a registry question unless the broker can show authority over the resource, fraud in the transfer, invalid consent, a court order or another record defect. If the registry holds the transfer because the claim sounds plausible, it has effectively granted the broker security over the address space. That changes bargaining power without the safeguards of secured-credit law.
Consider a failed acquisition. Two directors claim authority to sign transfer documents. Here the registry does have a role, because representation and consent are registry prerequisites. But the remedy should be limited: require evidence of authority, refuse to rely on disputed signatures, preserve the status quo where appropriate and tell the parties what legal instrument would resolve the question. The registry should not decide the broader corporate dispute unless its own procedural documents and evidence standard clearly allow a determination.
Closure is similar. Public procedures list reasons for termination and deregistration, including failure to follow policies, incorrect registration, non-compliance with arbitral rulings, insolvency events, falsified information, fraudulent requests and court orders. These categories are tied to the registry relationship. They are not a general catalogue of bad behaviour. The staged notice periods in the procedure are valuable because they give members time to cure, customers time to plan and the market a sense of sequence. A broad, vague power to terminate for reputational discomfort would destroy that value.
Commercial disputes should not be laundered through the registry
Commercial disputes are the natural enemy of a clean enforcement boundary. Address space sits at the intersection of service contracts, acquisitions, hosting relationships, reseller chains, finance arrangements and insolvency. When a deal fails, the registry record becomes attractive leverage. The party that can slow a transfer, cast doubt on authority or threaten continuity may gain more from registry pressure than from winning in court.
The registry should therefore treat private commercial claims as outside the perimeter unless they manifest as registry defects. A payment dispute is not a registry defect. A breach of a hosting contract is not a registry defect. A disagreement over who should bear renumbering costs is not a registry defect. A failed brokerage commission is not a registry defect. A claim that a counterparty misled customers may be serious, but it is not automatically a registry issue. The registry issue begins when the record is false, the consent is invalid, the resource was obtained fraudulently, the responsible party cannot be reached, the relevant policy condition is not met, or a competent order directs action.
This may sound formalistic, but it is the only way to keep the registry from becoming a private debt-collection forum. If RIPE NCC freezes resources whenever a plausible commercial claim is made, creditors will rationally skip slower remedies and go straight to the registry. That would lower their costs but raise the system's costs. Innocent customers would face uncertainty. Good-faith buyers would demand discounts. Members would need to disclose more private commercial material to defend routine updates. The registry would become a settlement venue for disputes it cannot properly investigate.
Insolvency is a special case because it can affect legal authority. If a member is liquidated, bankrupt, insolvent or no longer able to act through authorised representatives, the registry must know who can speak for the holder. Public closure procedures recognise insolvency events as relevant to termination in certain cases. But even there the registry's role should be to identify the legally authorised party and the effect on the registry relationship, not to decide creditor priorities. If an insolvency office or court provides a competent order, the registry can act. If creditors merely assert interests, the registry should require the appropriate legal instrument.
Mergers and acquisitions are another special case. RIPE NCC already requires documents for business-structure changes and transfers. That is appropriate because the registry must know whether the legal holder has changed. The danger is not document review. The danger is document review expanding into judgement about the business merits of a deal, the fairness of consideration or the motives of a seller. Those are market questions unless they show fraud or invalid authority.
The boundary can be protected by a simple refusal principle: RIPE NCC should not give a private party a remedy through the registry that the party could not explain as necessary to preserve accurate records, valid consent, policy compliance or legal obligation. If the requested action is mainly to pressure payment, punish a bad partner or gain bargaining leverage, it belongs elsewhere. The registry can say no while still inviting the party to return with a court order, arbitral ruling or evidence of a specific record defect.
That refusal principle is not hostility to complainants. It is protection for the market. A registry that refuses to launder commercial disputes through resource records makes the address market more predictable. Predictability lowers transaction costs, supports legitimate transfers and prevents the strongest complainant from becoming the temporary owner of the process.
Small members pay first when the boundary is vague
Vague enforcement is often defended as flexibility. In practice it is a tax on those with the least capacity to manage uncertainty. Large members can hire counsel, assign compliance staff, prepare document packs and wait. They can keep customers calm. They can replace disputed capacity. They can escalate through established channels. Small members may be one unresolved ticket away from losing a transit deal, a hosting customer or a buyer.
The asymmetry is not only financial. It is informational. A large operator often knows how RIPE NCC handles requests, what documents are expected and who can explain a status. A small operator may discover the rules only after a problem appears. If the enforcement boundary is written mainly in institutional memory, precedent and case-by-case judgement, the small operator faces a shadow rulebook. The result is not more justice. It is more bargaining power for those who know how to navigate the system.
This asymmetry changes conduct before any formal action is taken. A small member may settle a weak commercial claim because a complainant threatens to write to the registry. It may accept a lower transfer price because a buyer says the registry review risk is high. It may over-remove customers after abuse complaints because it fears being labelled uncooperative. It may avoid serving difficult regions or small resellers because the compliance risk feels unbounded. In each case, vague boundary design moves costs onto less powerful market actors.
Small-member protection does not require lower standards. It requires clearer standards. A small member should know what makes an abuse contact valid, what documents prove representation, what happens when a transfer is disputed, how long a hold can last, who reviews an adverse decision, and what facts are outside RIPE NCC's remit. The registry should be strict about false records and generous about explaining cure. It should be slow to infer bad faith from unfamiliar documentation and quick to distinguish missing paperwork from deception.
Economic fairness here is not redistribution. It is the avoidance of avoidable transaction costs. When procedure is clear, even a small member can comply. When procedure is vague, only scale can buy confidence. A registry serving an irreplaceable coordination role should not make scale the main defence against administrative uncertainty.
The boundary should be a set of negative powers
Institutions often define what they can do. For an irreplaceable registry, it is equally important to define what it will not do. Negative powers are commitments of restraint. They tell complainants, members and markets which requests will not be converted into resource penalties without a recognised trigger. They reduce opportunistic complaints by making the registry's refusal predictable.
A narrow enforcement boundary for RIPE NCC would include several negative commitments. It would not deregister or suspend resources merely because a third party alleges network abuse, unless the case also shows invalid contacts, false records, fraud, policy breach, a binding legal obligation or another defined registry defect. It would not freeze transfers merely because a creditor, broker or commercial counterparty claims money is owed, unless the claim affects authority, consent, record accuracy or is backed by a competent order. It would not decide whether a routing arrangement is commercially authorised when the registered holder is real, reachable and presents plausible authority; it would require the parties to resolve the claim externally. It would not treat reputation, public pressure or media attention as an independent ground for registry action. It would not use vague warnings where a factual status note would do.
These negative commitments would not leave RIPE NCC helpless. The positive powers remain strong: verify identity, require accurate records, check authority, validate contacts, implement accepted policy, process transfers, observe sanctions law, comply with court orders, run audits, correct registry defects, revoke or adjust services under defined conditions, and use staged notices for closure and deregistration. The difference is that each positive power would be tied to a registry reason.
Negative powers also discipline language. Public communications should separate "the holder has invalid registry contact data" from "the holder is accused of abuse". They should separate "the transfer lacks proof of authority" from "a party says the transfer is unfair". They should separate "a court ordered this action" from "a claimant requested it". They should separate "a resource certificate is revoked under a technical-policy condition" from "the network behaved badly". In scarcity markets, language becomes part of enforcement.
The registry could operationalise the boundary through trigger classes. Class one: identity and existence. Class two: authority and consent. Class three: policy eligibility and implementation. Class four: registry-data accuracy and contactability. Class five: fraud or falsified information affecting registration. Class six: contractual standing with RIPE NCC or a sponsoring LIR. Class seven: sanctions or other legal compulsion. Class eight: court or arbitral orders recognised by the relevant procedure. Class nine: technical registry services with defined technical triggers, such as certification or reverse-DNS conditions. Complaints outside these classes would receive contact guidance, preservation of relevant correspondence and a statement that external remedies are required.
Due process is an economic instrument, not decoration
Due process is often discussed as legitimacy. In registry economics it is also an instrument for reducing waste. Notice, evidence categories, cure periods, review paths and reasoned decisions lower the cost of uncertainty. They let members fix problems before value is destroyed. They let customers plan. They let buyers price risk. They let the registry distinguish genuine defects from strategic complaints. Weak procedure, by contrast, creates avoidable loss even when the final decision is correct.
The first design element is classification. Every adverse registry action should begin by classifying the issue: identity, authority, contactability, fraud, policy, sanctions, court order, arbitration, technical service condition, or external private dispute. Classification limits the remedy. A contactability problem gets a contact remedy. An authority problem gets a proof-of-authority remedy. A court order gets order-mapped action. A private dispute gets referral to external resolution. Without classification, remedies drift.
The second element is notice that states the record defect, not a cloud of suspicion. A member should not have to infer whether the problem is a bad abuse report, a disputed transfer, a sanctions match, a missing document or a false registration. The notice should say what fact is being relied on, what record is affected, what action is proposed, what evidence can cure it, what deadline applies and what will happen if the member does nothing. The stronger the economic consequence, the clearer the notice must be.
The third element is proportionality. Not every defect justifies the same response. A typographical error in contact data, a stale route record, a missing supporting document, a suspected forged signature and a confirmed fraudulent request are different. The remedy should preserve continuity where possible while protecting the ledger. A limited update block may be enough. A transfer hold may be necessary for disputed authority. A public warning may be justified only when a defined deregistration path has begun. Deregistration should be reserved for serious defects or failed cures under written procedure.
The fourth element is reversibility. Some registry actions can be reversed; others cannot fully be. A private note, a document request or a temporary hold may be reversible. A public warning may leave reputational residue. Deregistration, transfer completion and certificate revocation can have wider consequences. The less reversible the action, the higher the evidence standard and review requirement should be. This is not softness. It is loss control.
The fifth element is independent review. RIPE NCC has arbitration mechanisms for certain disputes and public information on arbiters. Review need not mean litigation for every case, but members should have a credible path to challenge classification, evidence and proportionality. Review is particularly important where the registry is acting under its own assessment rather than a court order. A registry that can impose scarce-resource consequences without meaningful review invites both error and strategic complaints.
Finally, timelines matter. Open-ended holds are economically expensive because they create option value for complainants and uncertainty for holders. A hold should have a defined reason, expiry or review date. If more time is needed, the registry should explain why. If an external claimant needs a court order, the registry can preserve the status for a short defined period only when necessary to avoid irreparable record harm, not as an indefinite favour to the claimant. Time is a remedy. It should not be granted casually.
A narrow boundary still leaves room for public safety
Critics of a narrow boundary may say it makes the registry blind to harm. That criticism misunderstands the design. A narrow registry boundary does not prevent public-safety action; it routes public-safety claims to the institutions with authority to act. Law-enforcement authorities can seek information, orders or other measures. Courts can order specific registry actions. Network operators can filter, disconnect, rate-limit, investigate and mitigate. Hosting providers can remove content. Payment providers can stop transactions. Incident responders can coordinate. The registry can maintain the reliable contact and holdership layer that lets those actions reach the right party.
There is a difference between enabling enforcement and being the enforcer. A clean registry enables enforcement by others. It gives courts, authorities, operators and counterparties a stable map. If the mapmaker becomes the police, the map is politicised. Parties begin to lobby the registry not just to correct the map but to change the terrain. That is how a coordination institution loses neutrality.
Public safety can even be harmed by overbroad registry enforcement. Bad actors can move faster than formal records. If enforcement focuses on resource holders rather than operational actors, innocent intermediaries may absorb losses while criminals move to other infrastructure. Overbroad penalties may discourage networks from registering accurate customer assignments or from cooperating with researchers, because visibility becomes liability. If every reported incident threatens the resource record, members have incentives to minimise recorded detail. A registry that focuses on accurate records encourages more useful information.
There are, of course, edge cases. A resource holder that repeatedly provides false information about network use to obtain resources is not merely a network with bad customers. It has attacked the registry. A holder that maintains unreachable contacts and ignores verification is not merely slow at abuse handling. It has weakened the ledger. A holder that defies a binding order cannot hide behind neutrality. A holder that uses fraudulent transfer documents cannot demand market certainty. The narrow boundary reaches all of these. It simply requires the registry to name the registry reason.
What the boundary should look like in practice
A practical enforcement boundary can be described through case handling. When a complaint arrives, RIPE NCC should first identify the requested registry action. Is the complainant asking for contact information, validation, a transfer hold, a database warning, suspension, deregistration, disclosure, certificate action or simply a response from the holder? Requests that do not seek registry action can often be handled through support guidance. Requests that do seek registry action need classification.
The next step is to ask whether the complaint alleges a registry defect. The words "abuse", "hijack", "fraud", "theft" and "breach" are not self-classifying. A phishing report may allege only bad customer conduct. A hijack allegation may allege a false route record or a stolen account. A fraud claim may allege forged transfer consent. A theft claim may allege that a former director lacked authority. The registry should translate the claim into record terms before acting: Which record is false? Which authority is invalid? Which contact failed? Which policy condition is breached? Which order applies?
Then comes evidence. Registry evidence includes account records, signed agreements, corporate documents, identity checks, authorisation records, registry history, contact-validation attempts, transfer forms, audit correspondence, policy criteria and competent orders. External technical evidence can be useful, but it should be mapped to a registry question. A BGP collector showing an unexpected origin is evidence of a routing event. It is not, by itself, evidence of invalid holdership. Screenshots of spam are evidence of abuse. They are not, by themselves, evidence that the registered contact is false. A court order is evidence of legal compulsion, but the registry still must map its scope.
The remedy should be the narrowest action that protects the ledger. If contact data is invalid, require contact correction and validation. If authority is disputed, pause the affected update while the parties supply authority evidence or a court order. If identity is false, suspend the account path needed to prevent further false updates and begin the defined correction or closure procedure. If a transfer request is fraudulent, reject it and consider the consequences for the submitting party under the relevant procedure. If a routing inconsistency is observed, notify and assist before treating it as a breach. If a private dispute lacks a registry defect, decline registry enforcement and point to external remedies.
Public status should be used sparingly. A database note can protect third parties, but it can also harm the holder. The default should be private notice unless public reliance on the record would be materially misleading. When a public note is justified, it should say something like: "RIPE NCC has initiated the defined deregistration procedure for this resource; see status date." It should not say: "This network is abusive" or "This holder is under investigation" unless a public legal order or policy framework specifically requires such wording. Facts, dates and procedure protect users better than insinuation.
The test is whether the ledger is being protected or used
The simplest way to police the boundary is to ask whether the proposed action protects the ledger or uses the ledger. Protecting the ledger means ensuring that records are true, contacts work, resources are held by eligible and identifiable parties, transfers have valid consent, policies are implemented and legal obligations are observed. Using the ledger means applying pressure through records to change behaviour that the registry is not institutionally designed to judge.
This test does not solve every case, but it reveals the economic stakes. If a spam victim asks RIPE NCC to identify the abuse contact, the ledger is being used for its intended purpose: reducing search costs. If the victim asks RIPE NCC to deregister the holder because the holder did not answer quickly, the ledger is being used as punishment for behaviour. If a buyer asks RIPE NCC to verify transfer authority, the ledger is being protected. If the buyer asks RIPE NCC to delay a transfer because the seller is negotiating with someone else, the ledger is being used. If an authority presents a binding order, compliance protects the registry's legal standing. If a private actor invokes political pressure without an order, the ledger is being used.
The test also clarifies the role of uncertainty. When facts are uncertain, the registry should preserve the record condition, not maximise leverage. A short, defined pause to verify authority may protect the ledger. An open-ended hold to encourage settlement uses the ledger. A notice requiring updated contact evidence protects the ledger. A vague threat tied to an abuse allegation uses the ledger. A warning statement after a defined deregistration procedure begins protects reliance. A reputation note before facts are established uses the ledger.
Economic institutions are often judged by what they refuse to do. A central bank that finances every fiscal wish ceases to anchor money. A land registry that changes title on rumours ceases to reduce transaction costs. A securities depository that freezes assets for private complaints without legal basis ceases to support markets. A Regional Internet Registry that treats scarce number resources as general-purpose leverage risks the same institutional drift. Its value lies in being boring, predictable and hard to capture.
RIPE NCC's challenge is sharper because it sits between technical coordination and private value. The resource record is not a packet filter, but it influences packets. It is not a title deed in the ordinary property-law sense, but markets price it like a scarce entitlement. It is not a court register, but court orders may flow through it. It is not an abuse desk for the Internet, but abuse reporters depend on it to find contacts. The institution must therefore be both useful and restrained.
The enforcement boundary should be written for stress, not for easy cases. Easy cases already sort themselves. The hard cases come with angry victims, scarce assets, political pressure, incomplete documents, cross-border parties and urgent routing facts. In those moments, broad discretion feels efficient. Over time it is expensive. It invites strategic complaints, chills transfers, raises compliance premiums, hurts small members, politicises records and pushes RIPE NCC toward a role it cannot perform with confidence.
The better answer is not passivity. It is a narrow, explicit perimeter around an irreplaceable ledger. Maintain the record. Verify identity. Demand valid contacts. Reject false documents. Implement policy. Obey binding law. Preserve evidence. Provide clear notices and review. But do not turn every complaint about behaviour into a claim on the resource record. In the economics of Internet number resources, that boundary is not a technical footnote. It is the difference between a registry that lowers transaction costs and a registry that becomes the cheapest weapon in the market.

