RIPE NCC shows why IPv4 leasing became a serious market workaround once registry allocation logic stopped matching operator demand: the official ledger remains essential, but use, risk and capital now move through contracts, routing signals and temporary control structures that the registry cannot safely ignore.
Article
The workaround that reveals the institution
IPv4 leasing is often described as a market niche beside the official registry system. That description is too small. Leasing is one of the clearest signals that operator demand has moved beyond registry allocation logic. It is what happens when networks still need address capacity, customers still expect IPv4 reachability, the remaining administrative allocation path offers only residual fragments, and permanent transfer is too costly, too slow, too capital-intensive, too uncertain or simply unnecessary for the job at hand.
RIPE NCC is the most useful mature case through which to examine the workaround. It is not an obvious failure case. It is a large, established and richly documented Regional Internet Registry serving Europe, the Middle East and parts of Central Asia. It is a not-for-profit membership association based in the Netherlands, the secretariat for the RIPE community, and the registry that maintains recognised number-resource records for one of the world's most complex Internet service regions. Its public materials describe a broad service bundle: registration, the RIPE Database, transfers, the LIR Portal, RPKI, reverse DNS, K-root, RIPE Atlas, RIPEstat, RIS, RIPE IPmap, country reports, meetings, learning and community support. Precisely because RIPE NCC is stable and competent, it makes the structural question harder to avoid.
The question is not whether RIPE NCC has failed. The question is whether a registry designed for allocation and record-keeping can remain a neutral ledger when IPv4 has become scarce, priced, leased, reputationally scored, routed through complex service chains and embedded in the balance sheets of network operators. A failing registry produces obvious risk. A mature registry produces a subtler test: how much of the market's risk is reduced by official procedure, and how much is created when the same procedure operates as gatekeeping over scarce operational capital?
The answer matters because leasing is not merely a commercial preference. It is a market reply to institutional mismatch. RIPE NCC's IPv4 run-out page says that the registry exhausted its remaining IPv4 pool in November 2019, after a final-/8 phase in which Local Internet Registries could receive one /22, or 1,024 addresses, and after a later phase in which smaller prefixes could be issued. The current waiting-list model allows eligible LIRs that have not yet received an IPv4 allocation to request a single /24 from future recovered space. A /24 can matter to a small network. It cannot satisfy a hosting expansion, a data-centre migration, a large enterprise rollout, a regional access build, a cloud footprint, a security service or a platform that needs many customers reachable on IPv4.
Once that supply reality is accepted, the leasing economy stops looking peripheral. It becomes one of the ordinary ways operators reconcile fixed address scarcity with continuing demand. A holder with surplus addresses may sell, lease, reserve, finance or contribute them to a corporate transaction. An operator without enough addresses may buy, lease, renumber, place customers behind CGNAT, adopt IPv6 where it works, or combine these strategies. The registry ledger remains vital, but it no longer describes the whole allocation of economic use. The registered holder may remain the same while the operational user changes. The asset may remain in one legal entity while revenue is generated through another. A contract may grant time-limited use without a permanent registry transfer. Routing authorisation, RPKI, IRR objects, reverse DNS, abuse contacts, geolocation records and reputation remediation may have to follow the lease even when the registry holdership field does not.
That is the shadow allocation economy. "Shadow" should not mean illicit. Many leases are ordinary commercial adaptations. The term describes a gap between official registered holdership and practical allocation of use. The registry sees one holder. The market may see a lessor, a lessee, an upstream network, a customer segment, a route-origin ASN, an abuse-response chain and a renewal risk. The address is still unique; what has changed is the layer at which use is assigned. In an exhaustion economy, this distinction is not cosmetic. It determines who can route, who is paid, who bears reputation damage, who responds to abuse, who creates ROAs, who controls reverse DNS, who can end the arrangement and who carries registry-facing liability.
RIPE NCC's own transfer policy contains a clue that the old binary is too small. The RIPE Resource Transfer Policies state that transfers must be reflected in the RIPE Database, that the original holder remains responsible until the transfer is completed, and that transfers can be permanent or non-permanent. In the case of a temporary transfer, the original holder re-assumes responsibility when the resource is returned. The policy is not a leasing code, and it should not be read as one. But the existence of non-permanent transfer language is important. It acknowledges that control over number resources can move for a time, not only forever. The market has gone further than the formal categories, but the principle is already visible: not every economically meaningful movement of use is a sale.
The institutional-economics frame is therefore straightforward. A registry is valuable when it records reality, prevents duplicate claims and makes legitimate use safer. It becomes dangerous when allocation-era concepts deny or obscure post-exhaustion reality. Official materials are useful as factual exhibits: they show the exhaustion date, the waiting-list mechanism, the transfer rules, the service agreement, the charging scheme and the policy process. They cannot be the final analytical frame, because institutions naturally describe their own discretion as necessary stewardship. The harder question is different: once IPv4 scarcity turns registry recognition into economic power, which market adaptations reduce risk, and which forms of registry control merely move risk into less visible places?
From allocation logic to operator demand
The RIPE NCC region inherited the normal RIR vocabulary: allocation, assignment, need, stewardship, conservation, policy, community and membership. This vocabulary made sense in the allocation era. When unallocated IPv4 still existed in meaningful quantities, a registry had to ration access. A Local Internet Registry could ask for addresses, show network plans, receive resources and record assignments. The registry's job was not only to keep the book accurate; it was also to administer a finite pool according to rules the community considered legitimate.
Exhaustion changed the bargain. After November 2019, RIPE NCC could no longer satisfy ordinary growth demand from new stock. It could distribute recovered addresses in small amounts through the waiting list, but the industrial supply problem moved elsewhere. Operators still needed addresses because customers still used IPv4, enterprise allowlists still contained IPv4 ranges, mail systems still attached reputation to IPv4 blocks, content platforms still geolocated IPv4, firewalls still used IPv4 rules, mobile and broadband providers still needed public address pools or NAT capacity, and many commercial relationships still treated IPv4 reachability as assumed infrastructure.
That demand does not wait for registry ideology to update. A hosting provider may need a /22 for a customer programme next month. A small ISP may need a /24 immediately to multihome. A security vendor may need clean addresses for time-limited monitoring or proxy infrastructure. A SaaS platform may need addresses that will not inherit bad mail or fraud reputation. A data-centre operator may need capacity in increments that do not justify buying a large block. An enterprise may want continuity without placing registry-facing exposure in the operating company that runs the service. These are not requests for the registry to create new supply. They are requests for the market to place existing supply into use.
This is where allocation logic starts to misfire. A needs test can be rational when a registry gives scarce common-pool resources to applicants at administrative cost. It is weaker when the parties are allocating already-issued resources through market prices, leases or corporate arrangements. A buyer or lessee has information the registry cannot easily possess: customer contracts, product timelines, geography, risk tolerance, capital constraints, reputation requirements, abuse controls and renewal planning. The fact that a firm is willing to pay market price or lease rate is itself a demand signal. It is not a perfect signal, but neither is a registry questionnaire.
Leasing emerged because it solves several mismatches at once. It lowers upfront capital needs. It allows capacity to match a contract term, migration window, pilot deployment or customer segment. It lets a holder monetise underused space without losing long-term optionality. It can keep registry interaction, RPKI administration, reverse DNS, abuse handling and reputation support with a specialist lessor. It can avoid a permanent transfer when the lessee needs use rather than recognised holdership. It can also let an operator test demand before committing to purchase.
None of this makes leasing automatically safe. A bad lease can be worse than a difficult purchase. If the lessor cannot prove authority, cannot create or maintain ROAs, cannot delegate reverse DNS, cannot handle abuse complaints, cannot clean reputation, cannot support geolocation corrections or can terminate unexpectedly, the lessee may discover that the cheap block was expensive. A private contract does not make BGP accept a route. A lease invoice does not clear a blocklist. A letter of authorisation does not override a stale ROA. A broker promise does not answer a registry query. Leasing is serious only when the private right of use is translated into operational signals that the rest of the Internet accepts.
That is why the RIPE NCC case is important. The region's official path is not hostile to transfers. RIPE NCC says it authorises and facilitates transfers of IPv4, IPv6 and ASNs, that a transfer changes holdership from offering party to receiving party, and that resource transfers are free of charge. But free administrative processing does not make the whole transaction costless. The real cost of a permanent transfer includes diligence, documents, waiting periods, sanctions screening, RPKI state, contract risk, legacy-resource treatment, timing, payment structure, warranties and uncertainty over what happens if something goes wrong.
Leasing is partly a price response to that cost stack. A lessee may prefer to pay recurring rent because the opportunity cost of capital is high. It may prefer a lessor who already knows the registry interface. It may prefer temporary use because the project is temporary. It may prefer risk to sit upstream because registry exposure inside the operating company is unattractive. LARUS's public leasing page is not neutral evidence; it is a commercial claim by an interested market actor. Yet it is useful as a market signal. It sells first-party IPv4 leasing, continuity assurance, registry-exposure placement upstream, routing validity, reverse DNS, abuse handling, geolocation support, support levels and renewal certainty. Such a product exists because customers are not buying only addresses. They are buying a structure around address use.
The lesson for RIPE NCC is not that it should endorse one commercial provider or accept every market claim. The lesson is that market products reveal the pain points of official architecture. If customers pay for registry-risk placement, the registry layer is perceived as a risk surface. If customers pay for renewal certainty, ordinary supply is perceived as fragile. If customers pay for RPKI, reverse DNS, abuse and geolocation support, the deployability of an IPv4 block is understood as a bundle, not a database line. A registry that wants accurate records should study these products as evidence of demand, not dismiss them as mere arbitrage.
What shadow allocation means in the RIPE region
Shadow allocation begins when the economic user of a block differs from the entity that appears as the registered holder. In a permanent transfer, registry holdership moves. In a lease, it may not. In a managed service, the provider may retain registry control while the customer uses addresses behind the provider's infrastructure. In a network partner arrangement, one party may own or hold the resources while another deploys them to customers. In a corporate group, one entity may keep the registry relationship while subsidiaries use the address space. In a sponsorship arrangement for independent resources, the sponsoring LIR may sit between the registry and the end user.
None of these structures is inherently deceptive. The Internet already operates through layers of delegation. A broadband provider gives addresses to subscribers. A cloud provider assigns addresses to virtual machines. A hosting company assigns addresses to servers owned by customers. An enterprise uses addresses through a carrier. A university delegates address use to departments. A content platform announces space through transit providers and route servers. The registry record cannot and should not capture every operational handoff.
The problem appears when the economically decisive handoff is invisible at the points where visibility matters. If the registered holder remains responsible but the lessee generates abuse, who answers complaints? If the lessee depends on a route through its own ASN but the holder controls RPKI, who creates the ROA and who removes it when the lease ends? If the lessor keeps reverse DNS authority, how quickly can records change? If reputation databases see old abuse history, who pays to clean it? If geolocation is wrong, who opens tickets? If sanctions, law-enforcement requests or registry checks arrive, who sees them and who has the right to respond? If the lease ends, who prevents stale IRR and ROA state from breaking the next user?
These questions show why "shadow" is not a moral category. It is an information category. The registry ledger can remain correct in the narrow sense while operational reality is distributed across private contracts. A good leasing market makes the relevant parts of that distribution visible to the parties that need to know. A bad leasing market hides responsibility until a route fails, an abuse complaint escalates, a payment dispute arises or a registry query exposes a mismatch between recorded control and actual use.
RIPE NCC's policy environment has some tools that could support a safer leasing economy. The RIPE Database is a public reference point for registration and contact data. Reverse DNS services help make operational use legible. RPKI allows resource holders and eligible parties to create machine-checkable route-origin authorisations. Transfer statistics provide visibility into permanent movements. Policy discussions are publicly archived. The registry already handles temporary transfers in principle. These tools reduce shadow risk when they are aligned with real use.
The danger is that registry categories lag behind market categories. A permanent transfer is easy to recognise. A lease may look like nothing if holdership does not move. A sponsoring arrangement may reveal some responsibility but not the whole commercial chain. A route object may reveal intended routing but not contractual authority. A ROA may show which ASN is authorised to originate a prefix, but not why or for how long. An abuse contact may work on paper while complaints still have to pass through several private parties. The registry cannot become a commercial lease registry for every arrangement, but pretending that leases are invisible does not make them safe.
The practical standard should be narrower. RIPE NCC should care about accuracy at risk-bearing points: recognised holder, delegated operational contact where appropriate, abuse responsiveness, routing-security authority, reverse-DNS authority, dispute status, transfer restrictions and continuity of registry services. It does not need to adjudicate every customer contract. It does need to keep the official layer from becoming so incomplete that the market routes around it with weaker private signals.
This is the central institutional challenge. A ledger that cannot see economically meaningful use will become less useful. A gatekeeper that tries to approve every business model will become more dangerous. The solution is not maximal visibility or maximal discretion. It is selective visibility at the points where hidden control harms third parties.
Temporary rights of use are not an aberration
The most important sentence in RIPE-807 for the leasing debate may be the one that says transfers can be permanent or non-permanent. It is easy to pass over. It should not be passed over. A non-permanent transfer means the policy framework already accepts that number-resource control can be time-limited. The original holder remains responsible until the transfer is completed, and in a temporary transfer re-assumes responsibility when the resource is returned. That structure is close to the economic logic of leasing, even if the policy text does not use leasing vocabulary as the organising frame.
Temporary use is economically rational in a scarce-resource market. A company may need addresses for a product launch, an event, a migration, a test environment, a seasonal service, a security operation, an interim expansion before an acquisition closes, or a bridge while financing is arranged. Permanent purchase would be inefficient. Waiting-list allocation would be too small or too uncertain. A permanent transfer could create future exit constraints, especially under the 24-month restriction for scarce resources. Leasing fits the need.
The old objection is that number resources are not supposed to be treated like property. But the market does not need perfect property vocabulary to create temporary rights of use. Commercial life is full of use rights that fall short of ownership: leases, licences, service contracts, hosting agreements, spectrum-use arrangements, IRUs, colocation terms, software subscriptions and infrastructure-as-a-service contracts. The important question is not whether a lease converts an IP address into land. It is whether the right of use is clear enough, operationally supported enough and recorded enough at the relevant control points to avoid conflict.
This is where RIPE NCC should be careful. If it treats leasing as a moral failure or an embarrassment, it will push the market into private opacity. If it treats every lease as if it must become a full transfer, it will force temporary demand into permanent structures that are too expensive or too slow. If it ignores leasing entirely, it will let private actors define the operational signalling layer without enough public discipline. The better approach is to recognise the category while keeping the registry role modest.
Recognition does not require the registry to price leases, approve rents, choose lessors or police business models. It could mean clearer guidance on non-permanent transfers. It could mean optional fields or processes for delegated operational contacts. It could mean better documentation on ROAs, reverse DNS and abuse contacts in time-limited arrangements. It could mean aggregate reporting on temporary transfers without exposing confidential commercial terms. It could mean a standard way to record that a resource is under a time-limited operational arrangement while preserving holder responsibility.
Such recognition would help all parties. Lessors would have clearer duties. Lessees would have a safer diligence checklist. Upstreams would know what signals to expect. Abuse reporters would know which contact chain matters. Registry staff would have fewer ambiguous tickets. The public Internet would get more accurate operational data. Most importantly, the official ledger would remain relevant.
The alternative is a two-layer world: formal registry records for holdership and informal private records for use. That world already exists to some degree. It is manageable when parties are competent and trusted. It becomes dangerous when price pressure brings in weaker intermediaries, when abused blocks are recycled without cleanup, when stale authorisations persist, or when a lessor's registry relationship fails. A mature registry should want less of that risk, not more.
Transfer friction and the leasing premium
Leasing competes with transfer. To understand leasing, therefore, one has to understand transfer friction. RIPE NCC's official transfer process is relatively transparent, but it still imposes real transaction costs. Transfers in the RIPE NCC service region can be submitted only by the offering LIR or by the sponsoring LIR of the offering End User. Resource holders are LIRs or End Users. Possible paths include LIR-to-LIR, End User-to-End User, LIR-to-End User and End User-to-LIR. Required documents include recent registration documents for legal persons, verified identity documents for natural persons, a transfer agreement signed by legally authorised representatives, proof of signing authority and, where the receiving party is an End User, an End User Assignment Agreement with the sponsoring LIR. RIPE NCC evaluates the request under applicable policies and procedures and checks the EU sanctions list; if either party is under sanctions, the request will not be approved.
These requirements are defensible. A registry should not update high-value records on thin evidence. A forged transfer can cause financial loss, routing confusion and legal disputes. Sanctions compliance is not optional for an institution operating under European legal obligations. Documentation checks protect the market by making recognised holdership more reliable.
But every defensible check still has a price. A buyer may wait while documents are gathered. A seller may have old corporate records or missing authority documents. A natural-person holder may face identity-verification friction. A sponsoring LIR relationship may have to be created or replaced. Sanctions screening may be routine for one party and existential for another. A broker may need to hold payment in escrow until the registry update is complete. A buyer may demand warranties against failure. Lawyers may add covenants around post-transfer support. A financing party may discount the asset until registration is complete.
The 24-month restriction adds a different kind of cost. RIPE-807 says scarce resources such as IPv4 and 16-bit ASNs cannot be transferred for 24 months from the date they were received, including where they were received due to a change in the organisation's business such as a merger or acquisition, while allowing further M&A transfers during that period. The RIPE NCC transfer guidance applies the same principle to IPv4 addresses and 16-bit ASNs. The rule may deter rapid flipping, speculative churn or policy gaming. It also reduces liquidity.
Liquidity restrictions can push parties toward leasing. A holder that cannot or does not want to transfer may lease. A buyer that does not want to tie up capital in a block that cannot move again for two years may lease. A company with uncertain demand may lease until the market, customer base or corporate plan is clearer. A lessee may prefer recurring expense to purchase because the restriction reduces exit optionality. In this sense, leasing is not only a workaround for scarce supply. It is a workaround for transfer-market architecture.
Inter-RIR friction has a similar effect. RIPE NCC's inter-RIR transfer page notes that each RIR has its own policy framework, that transfers between RIPE NCC and another RIR depend on what those frameworks allow, and that AFRINIC currently has no inter-RIR policy, meaning no resources can be transferred to or from that region through that channel. RIPE-807 also says that for transfers from RIR regions requiring receiving-region needs-based policies, recipients must provide a plan to use at least 50% of the transferred resources within five years. The addresses route globally, but recognised transfer is still filtered through regional policy compatibility.
When transfer across registry borders is hard, leasing and operational delegation become more attractive. A network may use addresses without changing the RIR of record. A provider may supply IPv4 capacity to customers outside the original registry region. A customer may care less about where the block is registered than whether it routes, passes filters, has valid ROAs, receives abuse support and remains available for the term. That does not make inter-RIR policy irrelevant. It means the market can separate operational use from formal registry transfer when transfer policy fails to match demand.
This separation creates both efficiency and risk. It is efficient because addresses can be used where demand exists without waiting for every policy border to align. It is risky because the registry ledger may no longer reflect the geography, user, abuse path or commercial dependency that matters. The mature answer is not to close every workaround. It is to ask why the workaround is attractive, then reduce the avoidable frictions that push legitimate use into opaque structures.
Routing, RPKI and the hard work of making a lease real
An IPv4 lease is not real in operational terms until the Internet accepts the route and the surrounding systems treat the address space as usable. The contract may be signed. The invoice may be paid. The lessor may have authority. None of that alone gets packets delivered. The lease has to be translated into signals: BGP announcements, route filters, RPKI ROAs, IRR objects, reverse DNS, abuse contacts, geolocation updates, reputation remediation and renewal controls.
RIPE NCC's RPKI service makes this translation more important. The RIPE NCC RPKI page describes a system launched in 2011 that allows LIRs to request digital certificates listing the Internet number resources they hold. It says RPKI offers verifiable proof that a holder's resources have been registered by an RIR and supports BGP origin validation. The practical meaning is that address use is no longer only a matter of human-readable registry data. It is increasingly a machine-validated routing claim.
That is good for security and difficult for leasing. If a lessee originates a prefix from its own ASN, the relevant ROA must authorise that origin. If the registered holder or certificate holder controls RPKI, the lessee depends on the lessor's competence and responsiveness. A stale ROA can make a legitimate route invalid. A missing ROA may be accepted by some networks but treated as weaker by others. A maxLength error can break more-specific announcements. When the lease ends, the ROA must be removed or changed. If the lessor sells the block, transfers it or loses access to certification services, the lessee's routing security can become hostage to an upstream event.
IRR objects create another layer. They are often used in route-filter generation and still matter operationally, even though the IRR ecosystem contains stale and unevenly authenticated data. A serious lease should specify who creates route objects, which database is used, how the objects align with RPKI, how stale records are removed, and what happens during a change of upstream ASN. Without that discipline, a customer can have a lease but still face route acceptance problems.
Reverse DNS is less glamorous but equally practical. Mail systems, enterprise controls, logging systems and customer applications may rely on reverse-DNS consistency. A lessee using addresses for mail or hosting may need specific rDNS names. If the lessor controls the delegation, service quality depends on the lessor's responsiveness. If the lease ends, records must change. Poor rDNS operations can turn a block into a support burden.
Geolocation is a further hidden cost. IPv4 addresses carry histories. Databases may believe a block is in one country when the lessee uses it in another. Content rights, payment systems, fraud controls, user experience and regulatory restrictions may depend on geolocation. A lessee may need correction support across multiple databases. This is not a registry function in the narrow sense, but it is part of deployability. A block that routes but is mislocated can be commercially impaired.
Abuse handling completes the operational bundle. The registered holder may receive complaints even when a lessee or downstream customer generated the traffic. A competent lessor needs a clear handling chain for notices, escalation, evidence, suspension, remediation and dispute. A competent lessee needs to know what conduct triggers termination, what notice is required, how false complaints are handled and whether downstream customers can be isolated without disrupting innocent users. A registry that receives persistent abuse complaints may care about contact accuracy and responsiveness even if it does not adjudicate every incident.
These details show why leasing is not merely "renting numbers." It is managed use of a scarce identifier with public routing consequences. The price of a lease should therefore reflect not only address count but operational reliability. LARUS's public materials list routing validity, reverse DNS, abuse handling, geolocation support, support SLA and renewal certainty as continuity controls. Again, that is a commercial presentation, not neutral adjudication. But it correctly identifies the domains in which leases succeed or fail.
RIPE NCC's reliability expectation sits behind all of this. The market expects the registry to keep the resource record stable, the RPKI service credible, the database available, transfer processes predictable and service changes properly communicated. A lessor can manage a lease only if the upstream registry layer remains reliable enough to support those operational signals. If registry reliability is strong, leasing can be orderly. If registry reliability is weak or discretionary, leasing becomes a risk-transfer mechanism rather than a pure efficiency tool.
Reputation is the hidden balance sheet
IPv4 addresses are not homogeneous commodities. A clean /24 and a polluted /24 are different assets. Registry policy may treat them as the same quantity of address space, but the market does not. Reputation affects mail deliverability, fraud scoring, hosting acceptance, VPN and proxy detection, payment systems, enterprise allowlists, content-delivery decisions and security responses. Leasing brings this hidden balance sheet to the surface.
A lessee may discover that a cheap block has bad history. It may be listed on spam blocklists. It may be associated with proxy abuse, bot traffic or previous fraud. It may have been geolocated incorrectly for years. It may carry stale reverse DNS. It may be distrusted by platforms that do not explain their scoring logic. It may be clean for one use and impaired for another. A lessor that offers only addresses without reputation support is selling a partial product.
This matters because reputation risk can move across parties. If the lessee abuses the block, the lessor's inventory is damaged. If the lessor provides dirty space, the lessee's business suffers. If the downstream customer creates the problem, both lessor and lessee may be caught in the middle. If the registry sees complaints but the records do not show the practical user, pressure may go to the registered holder. If the upstream provider filters a route, customers suffer regardless of the private contract.
A mature leasing contract allocates these risks. It should cover acceptable use, complaint handling, remediation duties, delisting support, geolocation support, rDNS controls, customer screening, termination rights, cure periods, evidence standards and end-of-term cleanup. It should also define whether the lessor warrants any level of reputation quality. Without such terms, the lessee may buy capacity but inherit unpriced liabilities.
The registry's role is narrower but still important. RIPE NCC should not become a reputation bureau. It should not decide whether a block is commercially clean. It should not police every downstream customer. But it should care that abuse contacts are accurate, that holders remain reachable, that the RIPE Database is not used to hide responsibility, and that operational authorisations do not linger after the underlying arrangement changes. Registry accuracy is not reputation management, but inaccurate registry data makes reputation management worse.
This is another reason shadow allocation should be made less shadowy. A public or verifiable operational-contact layer would not reveal every commercial term. It would show where operational responsibility sits. If a lessee runs a network under a time-limited arrangement, a validated abuse contact or role object can reduce delay. If the holder remains legally responsible to the registry, the holder can still be visible. The point is not to replace holdership. It is to reduce the cost of finding the party that can fix the problem.
Who bears liability when the registry layer is thin?
The hardest question in IPv4 leasing is not price. It is liability. When something goes wrong, who carries the consequence? The answer is rarely aligned with the place where control appears.
The registered holder carries registry-facing responsibility. The lessor may carry contractual duties to the lessee. The lessee carries customer-facing service obligations. The upstream provider carries routing and abuse discretion. The registry carries duties under its service framework and procedures. Relying networks carry route-filtering choices. Reputation databases carry their own private influence. No single document captures this whole chain.
The problem becomes sharper because registry contracts are not infrastructure insurance. RIPE NCC's Standard Service Agreement is a membership and service agreement. It incorporates the charging scheme and recognises amendment through General Meeting resolution without re-signing. The economic point is not to litigate the contract in an article. It is to observe the asymmetry: the registry record can affect high-value operational assets, while the formal service relationship is not built to compensate every downstream continuity loss that could follow from registry-layer disruption.
That asymmetry is central to participant arguments made by NRS, LARUS and Lu Heng. NRS frames IPv4 scarcity as the moment when registry discretion became economic power. Lu Heng's public notes argue more sharply that once IPv4 becomes capital-like, control and liability in the registry model become misaligned. LARUS turns the argument into a product claim: leasing from a first-party provider keeps registry-layer exposure upstream and gives the customer a continuity structure rather than direct registry proximity. Readers should treat these as participant arguments. They are not neutral proof. Their value is that they identify the risk-allocation question the official vocabulary tends to soften.
Direct holding can feel safer because the holder appears in the registry. It can also place registry-facing exposure inside the operating company whose customers depend on continuity. Leasing can feel weaker because the lessee does not become the registered holder. It can also be safer if the lessor is better positioned to manage registry processes, RPKI, reverse DNS, abuse, reputation and renewal. The correct answer depends on the structure, not on the word "lease" or "ownership."
For a small operator, buying a block may require capital that should be used for network buildout. It may also require the operator to manage registry compliance, RPKI, abuse, reputation and transfer history. Leasing can preserve capital and place operational lifecycle management with a specialist. For a large operator, buying may be rational because long-term control and internal competence outweigh leasing cost. For a temporary project, leasing is obviously more efficient. For a company in a sanctions-sensitive or politically exposed environment, the registry-facing layer may be a serious risk surface. For a lessee with weak operational discipline, leasing may merely externalise abuse costs to the lessor until the arrangement collapses.
The registry should not choose among these business models. It should make each model less dangerous by making the ledger accurate and the service boundaries clear. If RIPE NCC remains a disciplined ledger, parties can allocate liability privately and price the risk. If it behaves as a discretionary gatekeeper, private contracts must price registry uncertainty as a major external risk. In the worst case, leasing becomes attractive not because it is efficient, but because it moves fear away from the operating company. That would be a sign of institutional failure.
Membership incentives after exhaustion
RIPE NCC's membership model shapes the leasing market in indirect but powerful ways. Members pay the association, receive services, participate in General Meetings, vote on board elections and charging schemes, and may influence institutional activity through member channels. This is more accountable than a purely private vendor. It is less accountable than a public-law regulator. Its legitimacy depends on whether the membership mechanism actually disciplines registry power.
The RIPE NCC Charging Scheme 2026 keeps the annual contribution at EUR 1,800 per LIR account, continues a EUR 75 charge for independent number resource assignments, continues a EUR 50 charge for ASN assignments and sets a EUR 1,000 sign-up fee. It also says members vote each year at the General Meeting on returning excess paid fees or shortages through redistribution. These are ordinary association facts. They become economically significant after exhaustion because membership is not only club participation. It is the price of maintaining a recognised relationship with the registry layer that supports scarce resources.
A flat fee has different meanings across the RIPE NCC service region. For a large European incumbent, EUR 1,800 per LIR account may be negligible. For a small operator in a lower-income or conflict-affected market, it may be material. For a holder with surplus IPv4, the fee may be a carrying cost on a valuable asset. For a leasing business, it may be part of the cost of maintaining inventory and registry-facing capability. For an end user with sponsored resources, the cost may be embedded in a sponsoring relationship.
Membership incentives can affect leasing in several ways. A holder may lease rather than sell because holding costs are manageable relative to recurring income. A firm may maintain multiple LIR accounts or consolidate accounts based on transfer restrictions, fee structure and operational convenience. Smaller operators may prefer leasing if direct membership and compliance overhead feel disproportionate. Fee disputes can become proxy fights over institutional scope: should mandatory contributions fund only core registry functions, or also measurement platforms, events, training, outreach and community infrastructure?
Lu Heng's public note on the cost of running RIPE NCC presses that question aggressively. It argues that the core mandate is narrow -- registration database, number-resource administration and RPKI -- and that conferences, travel, training, measurement platforms and community infrastructure should not be bundled into compulsory fees. One need not accept the budget arithmetic or the proposed cuts to see the institutional point. In a scarcity economy, a mandatory fee on the registry relationship is not a mere club subscription. It is a charge on access to the recognised ledger. The broader the compulsory bundle, the more important scope discipline becomes.
RIPE NCC can reply that many non-core services create public goods. RIPE Atlas, RIPEstat, RIS, meetings and training can improve the health of the Internet. That is a reasonable argument. But it does not end the economic debate. Public-goods value does not automatically justify compulsory bundling. A mature membership association should be able to explain which services are essential to ledger reliability, which support the community, which should be funded by voluntary sponsorship, and which should be optional. The leasing market will price not only the formal fee, but the perceived discipline of the institution that charges it.
Membership incentives also shape policy attention. Holders with large IPv4 inventories have different interests from new entrants. Leasing providers have different interests from buyers. Large incumbents have different interests from small access networks. Sponsoring LIRs have different interests from End Users. Policy regulars have different incentives from silent members. A rule that looks neutral in an archive can redistribute value among these groups.
That does not make RIPE NCC's membership model illegitimate. It makes it incomplete as a source of market authority. Member votes and General Meetings can discipline fees and governance. They cannot by themselves prove that every policy affecting leasing, transfer friction or resource use reflects the interests of all affected operators and customers. The more IPv4 leasing grows, the more RIPE NCC must treat membership governance as one accountability channel, not as a substitute for economic impact analysis.
Policy-list culture and the cost of attention
RIPE's policy culture is one of the strongest features of the RIPE ecosystem. The RIPE Policy Development page says policies are developed through a long-established, open, bottom-up process of discussion and consensus-based decision making. Policy development happens at RIPE Meetings and RIPE Working Group mailing lists. Meetings and working-group lists are open to everyone, mailing lists and working-group minutes are publicly archived, policies are formally documented and publicly available, and a person does not need to be a RIPE NCC member or meeting regular to propose a policy.
This openness matters. It prevents policy from being purely managerial. It creates a public memory. It gives technical participants and affected parties a place to object. It distinguishes the RIPE community from RIPE NCC as the secretariat and membership association. It makes the policy list a source of legitimacy.
The same culture has a weakness: attention is scarce. A small operator cannot follow every thread. A non-native English speaker may hesitate to argue. A resource holder may not know that a proposal will affect asset liquidity until implementation. A lessee may not even know which list matters. A broker may follow policy more closely than the customer whose network will depend on the outcome. A large incumbent or policy specialist can participate repeatedly while smaller actors ration time.
After exhaustion, this attention problem becomes economic. In the abundance era, a mailing-list rule about allocation criteria might affect future eligibility. In the scarcity era, a rule about transfers, temporary use, RPKI, resource certification, contact requirements or registry checks can affect asset value, lease structures and continuity risk. Silence on a list does not necessarily mean informed consent. It may mean fatigue, ignorance, language barriers, small-company time constraints or the belief that the outcome is already shaped by regular participants.
The policy process therefore needs a different kind of discipline for market-shaping rules. Proposals affecting scarce resources should identify likely economic effects: liquidity, transfer timing, leasing incentives, small-operator burden, registry workload, data quality, RPKI consequences, abuse handling and risk of pushing activity into opacity. Consensus should still matter, but economic impact should be explicit. Otherwise, a formally open process can create rules whose market consequences are understood only after operators start designing around them.
The leasing issue is a good example. If the community treats leasing as a footnote, policy may ignore the operational reality. If it treats leasing as suspicious, it may push the activity underground. If it treats leasing as normal but unbounded, it may miss abuse, stale routing and accountability risk. The policy list is capable of a better answer, but only if the subject is framed as infrastructure economics rather than moral argument.
Registry reliability as a market product
RIPE NCC does not sell IPv4 leases. Yet registry reliability is one of the main inputs into the leasing market. A lessor with good inventory is still exposed to registry service reliability. A lessee with a good contract is still exposed to the lessor's registry-facing status. A route can depend on RPKI. A transfer can depend on accurate records. An abuse complaint can depend on reachable contacts. A time-limited arrangement can depend on clear end-of-term cleanup. The registry's performance becomes part of the product even when the contract is private.
This is why the ledger-versus-gatekeeper distinction matters. A ledger produces certainty. It verifies authority, keeps records accurate, prevents duplicate claims, publishes useful data, supports routing security, records legitimate transfers and isolates disputes. A gatekeeper produces uncertainty when it uses record-keeping leverage to judge business models, slow legitimate movement, expand institutional scope or impose unclear requirements. The same action can look like either one depending on precision and proportionality.
Consider sanctions screening. RIPE NCC's transfer guidance says it checks the EU sanctions list and will not approve a transfer if either party is under sanctions. That is a legal necessity. It is also a transaction risk. The ledger role is to state the rule clearly, apply it consistently, inform parties of status within lawful limits and isolate the consequence to the affected transaction where possible. The gatekeeper risk would be vague or expanding uncertainty that makes lawful parties overpay for fear.
Consider Assisted Registry Checks. Public Lu Heng notes point out that real RIPE NCC processes are procedural and cooperative, unlike phishing emails that exploit fear of authority. Data-quality checks can strengthen the ledger if they help members keep records accurate. They become gatekeeper-like if members perceive them as open-ended threats to operational continuity. The registry should make its limits visible, not only its powers.
Consider RPKI. RIPE NCC's RPKI service supports secure routing by letting holders certify resources and manage ROAs. That strengthens the ledger. It could also become a market choke point if service eligibility, certificate revocation, delegated CA rules or terms changes are poorly communicated. A leasing market needs confidence that routing-security state will not be disrupted unpredictably.
Consider transfer statistics. RIPE NCC publishes transfer data, which helps the market see approved movement. That strengthens the ledger. But approved transfers are only the visible side. The market also needs aggregate visibility into friction: delays, restriction-related failures, abandoned requests, sanctions-related blocks, inter-RIR timing and temporary-transfer usage. Without such data, participants price uncertainty from anecdotes.
Registry reliability is therefore not only uptime. It is procedural predictability. It is the ability of market participants to know what the official layer will do before they commit capital. For leasing, reliability means a holder can promise the lessee that registry status, RPKI, reverse DNS, abuse contacts and policy exposure are manageable for the lease term. If the lessor cannot predict the registry, the lease becomes a risk bet.
The capital-efficiency case for leasing
IPv4 leasing persists because it is capital-efficient. This is not a moral claim. It is arithmetic. Buying a block converts a large amount of capital into a scarce operational input. That may be wise for a network with stable long-term demand and strong internal registry competence. It may be inefficient for a firm with uncertain demand, project-based need, limited financing or better uses for capital.
A /24, /23 or /22 can support revenue without requiring the operator to purchase permanent control. A startup hosting provider may prefer to lease while proving product-market fit. A regional ISP may lease during a rollout and buy later if demand stabilises. A security company may need clean addresses for a fixed campaign. A cloud provider may lease to bridge a customer cluster. An enterprise may lease to avoid the governance and registry exposure of direct holding. A holder with underused addresses may prefer recurring income to sale, especially if the block has strategic value.
Leasing also changes balance-sheet risk. Purchase concentrates risk upfront. Lease spreads cost over time. Purchase may create an asset whose value is exposed to registry policy, market price, abuse history and liquidity restrictions. Lease creates an operating cost and a renewal risk. The right choice depends on the firm's cash flow, tax position, customer commitments, technical competence and risk appetite.
The official registry system should not try to choose the optimal capital structure for each operator. It should make both purchase and lease safer. If transfer is efficient, predictable and bounded, operators that need permanent control will buy. If temporary use is recognised and operationally clean, operators that need use rather than ownership will lease. If both paths are clear, the market allocates capital more efficiently. If one path is obstructed, the other absorbs demand for the wrong reasons.
This is where RIPE NCC can create a confidence premium. If RIPE-region resources are perceived as easier to transfer, easier to certify, easier to support with accurate registry data and easier to use in well-structured leases, they should carry lower risk. If RIPE-region procedures are perceived as opaque, expensive in attention, exposed to member-politics swings or slow to recognise market reality, the premium will shrink. The registry does not set the price, but it affects the discount rate.
Capital efficiency also has a public dimension. A scarce address left idle because the holder wants optionality is economically different from the same address placed into temporary use with clean operational controls. The first preserves private option value while the market remains short. The second converts idle capacity into productive service without forcing the holder to sell. Leasing can therefore increase utilisation without pretending scarcity has disappeared. The condition is discipline: the use right must be clear, the routing authority must be clean, and the liability chain must be capable of absorbing failure.
What a safer leasing layer would look like
A safer RIPE-region leasing layer would not require RIPE NCC to become a commercial lease supervisor. It would require the registry, community and market to separate three functions.
The first function is holdership. The registry must know who is recognised as the resource holder, who has authority to transfer, who is responsible under the registry relationship, what restrictions apply and what services are available. This is the ledger's core.
The second function is operational delegation. The market needs a way to make time-limited use legible where it matters: route origin, reverse DNS, abuse contact, operational contact, geolocation support and end-of-term cleanup. Some of this can be handled through existing RIPE Database objects and RPKI practice. Some may need clearer guidance. The point is not to publish private lease terms. It is to show enough operational truth to reduce third-party risk.
The third function is commercial liability. Private contracts should allocate rent, term, renewal, termination, acceptable use, support levels, reputation remediation, abuse response, RPKI management, rDNS changes, geolocation tickets, downstream customer controls and indemnities. The registry should not write these contracts. But its policies should not make it harder for serious contracts to map cleanly onto operational reality.
Several practical improvements follow. RIPE NCC could publish clearer guidance on non-permanent transfers and how they differ from ordinary leases that do not move holdership. It could provide best-practice material on RPKI and reverse DNS in temporary-use arrangements. It could encourage validated abuse-contact chains where operational users differ from holders. It could publish aggregate data on temporary transfers and transfer delays. It could distinguish data-quality issues from business-model judgements. It could make clear that registry accuracy is the goal, not moral supervision of every commercial use of addresses.
The RIPE community could update policy discussions to include leasing as a normal scarcity response. It could ask whether any rule unintentionally pushes legitimate use into private opacity. It could preserve anti-fraud controls while avoiding language that treats commercialisation itself as suspect. It could identify minimum obligations for holders who delegate use: reachable contacts, routing-security hygiene, end-of-term cleanup and responsiveness to abuse.
Market participants also have duties. Lessors should not sell bare capacity while ignoring RPKI, rDNS, abuse, reputation and renewal. Lessees should not treat leased space as disposable. Brokers should not pretend that escrow and documents solve registry risk. Upstreams should require credible authorisation without making arbitrary demands. Buyers should understand when purchase is better than lease and when lease is a rational bridge. The shadow allocation economy becomes safer only when all parties stop pretending that the registry record is the whole operational story.
Watchpoints for the next two years
The first watchpoint is temporary-transfer practice. If RIPE NCC's non-permanent transfer language remains obscure while commercial leasing grows, the gap between formal policy and market practice will widen. Watch whether the community discusses temporary use explicitly and whether RIPE NCC publishes practical guidance.
The second watchpoint is RPKI dependency in leased space. As route-origin validation becomes more common, leases with poor ROA discipline will create outages. Watch whether lessors provide clear ROA management, whether lessees demand service levels, and whether stale authorisations become a visible source of disputes.
The third watchpoint is abuse and reputation. Scarcity raises the value of clean space and the cost of dirty space. Watch for more disputes over block history, delisting support, geolocation correction and downstream customer behaviour. A leasing market that ignores reputation will price itself into failures.
The fourth watchpoint is transfer friction. If permanent transfers remain predictable, leasing will serve genuine temporary and capital-efficiency needs. If transfer friction rises through documentation uncertainty, sanctions concerns, 24-month restrictions or inter-RIR incompatibility, leasing will absorb demand that would otherwise have settled through the official ledger.
The fifth watchpoint is membership scope. The charging-scheme debate is not separate from leasing. The carrying cost of registry relationships affects holders, lessors and small operators. If members increasingly view compulsory fees as funding activities beyond essential ledger functions, the legitimacy of the registry layer will be questioned through market behaviour as well as meetings.
The sixth watchpoint is policy participation. Leasing affects many parties that may not appear on RIPE lists: lessees, small hosting providers, enterprise customers, security firms, downstream users and holders who monetise quietly. If policy outcomes are shaped mainly by regular participants, silence may conceal market dissatisfaction until workarounds grow.
The final watchpoint is language. If RIPE NCC and the RIPE community describe leasing mainly as a problem, the market will hear hostility. If they describe it as a normal post-exhaustion use pattern with real operational risks, the market will hear maturity. Language will not decide the economics, but it will reveal whether the institution understands its role.
The conservative answer: make the shadow less shadowy
IPv4 leasing exists because the allocation era ended before operator demand ended. RIPE NCC's own facts make the point. The remaining official allocation path is a /24 waiting-list mechanism from recovered space. The meaningful growth economy is transfers, leasing, acquisitions, address-sharing, CGNAT, IPv6 where practical and private operational arrangements. The registry ledger remains essential, but it no longer contains the whole story of use.
That does not mean the registry should withdraw. It means it should become more precise. The ledger should verify holdership, preserve uniqueness, support routing-security signals, keep records accurate, record legitimate transfers and make responsibility findable. It should not pretend that every lease is a disguised policy violation. It should not try to approve every business model. It should not use allocation-era language to obscure the fact that temporary rights of use are now part of the market.
The phrase "shadow allocation" sounds darker than the best version of the practice needs to be. The shadow exists because formal records and economic use diverge. The answer is not to abolish every divergence. The Internet has always depended on delegation. The answer is to illuminate the risk-bearing points: who can authorise routing, who handles abuse, who manages rDNS, who maintains ROAs, who cleans reputation, who bears registry-facing responsibility, who can terminate use and who pays when continuity fails.
RIPE NCC can be a model here because it has the ingredients of a strong ledger: public policies, transfer statistics, RPKI, an open policy culture, member governance, database infrastructure and institutional continuity. It also has the incentives of a gatekeeper: compulsory membership fees, policy-list concentration, transfer restrictions, sanctions screening, service eligibility and a broad institutional scope. Leasing tests which side will dominate.
If RIPE NCC treats leasing as market feedback, it can reduce risk without expanding discretion. If it treats leasing as an embarrassment, the market will continue anyway, but with more private opacity. If it treats leasing as a reason to become a commercial supervisor, it will create more gatekeeper risk. The conservative answer is narrower: recognise temporary use, improve operational signalling, publish process data, keep fees disciplined, and make the official path more reliable than workarounds.
In the post-exhaustion IPv4 economy, certainty is the scarce service a registry can still provide. RIPE NCC cannot create abundant new IPv4 supply. It can make the use of existing supply safer, more legible and less hostage to institutional surprise. That is why leasing matters. It is not a footnote to the registry system. It is the market telling the registry what the registry has become.

