Summary
- Submarine-cable risk is usually described as physical capacity risk: a fibre pair is cut, a repair ship is delayed, a landing station is congested or traffic must take a longer path. That is only half the economic problem.
- For operators in the RIPE NCC region, resilience during a cable shock also depends on address continuity: whether portable IPv4, route-origin proof, RPKI and ROA state, reverse DNS, abuse contacts and customer-facing address identity remain coherent while traffic is moved.
- The RIPE NCC service region spans Europe, the Middle East and parts of Central Asia. The region includes over 75 countries, more than 20,000 LIR organisations and many networks whose international reach depends on Mediterranean, Black Sea, Baltic, Red Sea, Gulf, island and neighbouring-transit paths.
- IPv4 scarcity raises the cost of weak evidence. Since the RIPE NCC remaining IPv4 pool was exhausted in November 2019, portable address space has become a continuity asset rather than a disposable configuration detail.
- New cables, repaired cables, satellite backup, leased terrestrial backhaul, public cloud failover and IXP rerouting do not create resilience if counterparties cannot quickly believe who may originate the addresses and who will answer for them.
- Weak registry evidence is a crisis tax. It turns a cable incident into extra negotiations with upstreams, cloud platforms, exchange route servers, security desks, enterprise customers and mail or payments systems.
- RIPE NCC cannot repair cables, choose traffic routes or decide whether a landing market has enough competition. Its proper economic role is thinner and more important: maintain a ledger that protects uniqueness, accuracy and continuity before physical shocks arrive.
- The policy boundary is essential. Scarcity does not make a clerk a landlord, and cable fragility does not make a registry a traffic engineer. The registry should make continuity evidence reliable; it should not become a gate for cable economics.
A reroute plan begins with a registry file
The first desk to feel a submarine-cable fault is rarely the one imagined in public accounts. It is not necessarily a crisis room with a map of the seabed. More often it is an engineering and operations desk with a list of prefixes, upstream contracts, customer exceptions, cloud ranges, route filters, reverse-DNS delegations, firewall allowlists and tickets marked urgent. A cable is unavailable, a repair window is uncertain, latency is rising, and traffic must be shifted through a different country, exchange, carrier or cloud ingress. The question is not only whether a backup path exists. The question is whether the network can take its address identity with it.
This is why submarine-cable economics should not be reduced to capacity charts. A fibre cut removes or degrades a path. The immediate response is rerouting. Yet rerouting is not a mere act of pushing packets elsewhere. It is a claim made to many independent systems: this autonomous system may originate this prefix; this holder is still responsible for this address range; this reverse DNS remains under control; this public abuse mailbox still reaches the operating team; this customer's endpoint can be trusted even if the path now exits in another country; this backup route is not a hijack, a leak or a dubious leased arrangement. A cable failure tests these claims under time pressure.
For a large global carrier, some of that trust can be bought with reputation, staff and prior relationships. For a smaller access provider in a cable-dependent edge market, the registry file may carry more of the burden. The upstream may not know the company well. The cloud platform may not have a long commercial history with it. An enterprise customer may have strict change-control rules. A route server may rely on automated filtering. A security vendor may be suspicious of sudden origin changes. In each case, coherent address evidence lowers the cost of acceptance.
RIPE NCC is not a submarine-cable operator. It is not a repair contractor, traffic engineer, naval authority or landing-station regulator. Its importance lies elsewhere. The RIPE NCC service-region page records that its region is made up of over 75 countries and over 20,000 LIR organisations. Across that geography, the registry's records are consulted by networks that do not share the same law, language, risk appetite or commercial position. In a calm period, inconsistent records are an irritant. During a cable shock, they are a transaction cost imposed at the worst possible time.
The economic distinction is simple. Physical redundancy creates optional paths. Registry continuity makes those paths usable. A new submarine cable, a repaired cable or a terrestrial bypass can improve resilience only if the networks using it can preserve address authority and customer identity across the change. Without that evidence, spare capacity may exist in theory while being expensive, slow or risky to use in practice.
Physical capacity and address continuity are different risks
Submarine-cable investment is usually analysed through physical and financial categories: route diversity, landing-station choice, wet-plant ownership, repair-ship availability, permit delays, spectrum on a fibre pair, backhaul from the landing point, maintenance agreements and anchor or seismic risk. These are real constraints. Cable repair can be slow, marine work is specialised, and political or security conditions can make access to a fault complicated. But a network buying resilience is not buying only photons in glass. It is buying the ability to continue serving identifiable customers while the route changes.
Address continuity is the institutional counterpart to physical continuity. It means that the address range used by customers, servers, APIs, payment systems, mail platforms, VPNs, monitoring services and cloud workloads remains recognisable as it moves across alternative paths. It also means that the public evidence around that range remains coherent: holder record, origin authorisation, route policy, reverse-DNS delegation, abuse contact and history of legitimate use. When those layers align, a network can treat a backup route as part of a plan. When they conflict, the backup route becomes a negotiation.
The distinction matters because cable shocks are time-sensitive. If a main path fails and a network must move traffic through a different carrier, the new carrier may apply route filters. If the origin AS changes, RPKI state may change. If a more specific announcement is used to steer traffic around a congested path, filters may treat it differently. If cloud services are moved into another region, a bring-your-own-IP review may ask for evidence. If customer endpoints remain fixed while paths change, enterprise security tools may flag unexpected geolocation, latency or origin data. The cable fault begins under the sea, but the cost propagates through evidence systems above it.
This is also why a physical-resilience plan can fail without a visible network outage. Traffic may move, but at a higher price. Transit may be bought at emergency rates. Customers may accept degraded latency only after manual assurance. Cloud routes may be approved slowly. Mail reputation may be disrupted when reverse DNS is not aligned. Public-sector customers may require documentation that the same provider remains responsible after rerouting. The service continues, but the firm pays a tax in time, trust and operational attention.
The tax is uneven. Large carriers operate their own cable investments, multiple landing relationships, extensive peering and staff who can call the right desk. Smaller regional networks may depend on one or two upstreams, a single local landing ecosystem, a neighbouring country for international reach or a limited number of public-cloud on-ramps. For them, registry evidence is not decorative administration. It is a portable asset that lets them borrow trust across borders when a path fails.
IPv4 scarcity makes portable addresses a shock absorber
IPv4 scarcity has turned address continuity from a technical preference into a balance-sheet and customer-retention issue. The RIPE NCC IPv4 run-out page records that, in November 2019, the remaining IPv4 pool was exhausted. That fact is an exhibit, not a complete explanation. Its economic meaning is that networks in the region can no longer treat fresh IPv4 space as an easy substitute for messy evidence. If a provider's existing portable addresses are hard to use during a disruption, the fallback is not simply to get new ones.
Portable IPv4 is valuable in a cable shock because it separates customer identity from any single upstream. A provider that can originate its own addresses through another carrier has an option. A customer whose critical services sit on portable addresses can be moved with less reconfiguration. A small island network or landlocked provider can reroute through a neighbouring market without renumbering every dependent system. But portability is not magic. It works only when the outside world accepts the address story. Holder data, route-origin authorisation, route filters, reverse DNS and contact evidence must travel together.
If the record is weak, portable IPv4 can become less portable exactly when it is most needed. A backup upstream may reject the prefix because the ROA does not cover the planned origin. A route server may not accept the route set. A cloud provider may ask for more proof before importing the range. A customer may worry that the address range still appears tied to an old provider. A security desk may hesitate because the abuse contact points to a mailbox that was never updated after a corporate change. These failures may look like separate operational annoyances. Economically, they are the same defect: the option value of portable address space has been reduced by poor evidence.
The transfer market sharpens the problem. In a post-run-out environment, address ranges move through acquisitions, leases, brokered transactions, business failures and restructurings. A prefix that once served a university, hoster or access network may later support a cloud service, payment processor, logistics system or national ISP. Each new use increases the need for clean continuity. During ordinary times, old evidence can be cleaned slowly. During a cable shock, old evidence becomes a reason for counterparties to slow down or say no.
This is not an argument for the registry to police every commercial use of IPv4. Scarcity does not make a clerk a landlord. It is an argument for finality and accuracy within a narrow lane. The ledger should make clear who holds the resource, which contact surfaces are current, what origin authority has been created and how responsibility can be verified. The more expensive IPv4 becomes, the more damaging ambiguity becomes. A thin but reliable ledger preserves optionality. A thick and discretionary registry risks becoming a gate. A thin but careless registry leaves operators to buy trust under duress.
Route-origin proof is the language of emergency acceptance
Rerouting during a cable disruption is a test of route acceptance. A network may have a backup path on paper, but the route still has to be accepted by upstreams, peers, route servers and downstream customers. That acceptance increasingly depends on structured proof. RPKI and Route Origin Authorisations do not solve every routing problem, but they provide a common way to ask whether a particular autonomous system is authorised to originate a prefix. RIPE NCC's RPKI page describes the system as a way for LIRs to request a certificate listing the Internet number resources they hold and to manage Route Origin Authorisations. For cable-shock economics, the key point is not the slogan of security. It is the speed of belief.
In a normal change window, a mismatch between the planned origin and the ROA can be corrected through tickets, maintenance windows and coordination. In a cable emergency, the mismatch can be costly. Traffic that needs a new origin may be marked invalid by networks that perform origin validation. A more specific prefix announced through a backup carrier may not be accepted if the ROA maximum length is too strict. A temporary origin may be technically possible but commercially awkward if the registry and routing evidence still point elsewhere. The result is not always a total outage. Often it is a narrower path, slower acceptance, higher transit cost or manual exception.
The economics are about counterparty risk. Each network receiving a route asks, implicitly or explicitly, whether accepting it will create harm. A route with coherent origin proof imposes less review cost. A route with ambiguous proof forces the receiver to choose between operational urgency and filtering discipline. That choice is especially uncomfortable during a regional cable shock, when many networks may be changing paths at the same time. The more chaos in the control plane, the more valuable clean public evidence becomes.
Operators often think about RPKI in the language of hijack prevention. That framing is useful but incomplete. In the RIPE NCC region, where cable exposure can affect Mediterranean, Black Sea, Baltic, Red Sea and Gulf-adjacent traffic as well as landlocked networks dependent on transit through neighbours, route-origin proof is also an instrument of crisis liquidity. It lets a network convert pre-established evidence into faster acceptance when the usual path is impaired. A ROA is not just a security statement; under stress it is a credential used by many separate filters.
The same point applies to route registries and route sets. If a network's route policy is stale, inconsistent or maintained by a party no longer responsible for the service, emergency rerouting becomes a detective exercise. Upstreams will ask for letters, peers will ask for updates, and automated systems will refuse to guess. Registry evidence does not eliminate the need for human coordination, but it determines whether human coordination starts from trust or suspicion.
Reverse DNS and abuse contacts carry customer identity
Cable resilience is often measured by reachability and latency, but customers experience it through services. Mail must continue to deliver. VPNs must authenticate. Payment and fraud systems must recognise traffic. Support desks must know whom to contact. Monitoring systems must not interpret a planned failover as compromise. These functions depend on address identity as much as raw connectivity. Reverse DNS and abuse contacts are part of that identity.
The RIPE Database page states that the database contains registration information for networks in the RIPE NCC service region and contact details, and lists uses including accurate registration information, routing policy, operator coordination and reverse-DNS delegations. Again, the official wording is only an exhibit. The economic fact is that many external systems read these signals as clues about responsibility. If reverse DNS moves cleanly with the service, a customer-facing address remains legible. If abuse contacts reach the right team, security desks can handle complaints without escalating to commercial distrust.
During a cable shock, these details become more visible. A provider may move outbound mail through a different path, or a customer may shift a service to a backup site while retaining the same public addresses. If reverse DNS is stale, mail filtering may worsen just as communications are most important. If the abuse contact is wrong, reports of anomalies may go unanswered. If geolocation and routing history change at the same time as contact evidence looks weak, fraud systems may treat the traffic as risky. The result is a second-order outage: the packets pass, but the service loses standing.
This burden falls heavily on customer-facing providers. A wholesale carrier may measure success by restored capacity. An enterprise customer measures success by whether its users, suppliers and auditors see continuity. If a bank's disaster-recovery plan relies on fixed addresses, or a logistics provider's APIs sit behind allowlists, the address record becomes part of the resilience contract. A provider that cannot show coherent RDNS, contact and origin evidence is asking customers to accept undocumented change in the middle of a disruption.
There is a governance lesson here. Abuse contacts and reverse DNS should not be treated as minor clerical fields. They are part of the evidence bundle that lets other networks and customers distinguish planned continuity from suspicious movement. But the registry's role remains narrow. It should support accurate contactability and delegation; it should not decide whether every complaint proves a commercial failure. The right standard is not maximal intervention. It is reliable responsibility.
Landing concentration turns evidence quality into market power
Cable-dependent markets rarely have equal fallback options. A coastal capital may host multiple submarine systems and data centres, while a secondary city may depend on domestic backhaul to one landing cluster. An island economy may have two physically diverse routes on paper but limited practical competition in repair, landing access or international transit. A landlocked network may depend on carriers in neighbouring countries, with its international reach shaped by political borders and wholesale relationships. In such settings, address evidence can influence bargaining power during a shock.
When a main cable route fails, operators with clean portable address evidence can ask competing carriers for temporary or longer-term capacity without surrendering customer identity. They can present a prefix list, origin proof, RDNS control and contact file that make acceptance routine. Operators with weak evidence have fewer credible alternatives. The incumbent upstream may know that moving traffic elsewhere will be slow. A backup carrier may demand additional assurances. Customers may fear renumbering or service disruption. In this way, landing concentration and address ambiguity reinforce each other.
The RIPE NCC region contains many forms of this asymmetry. Mediterranean networks may face choke points between Europe, North Africa and the Middle East. Black Sea routes are shaped by geography and conflict risk. Baltic routes combine dense northern connectivity with heightened attention to subsea infrastructure. Red Sea and Gulf routes carry traffic through strategic corridors. Island economies have obvious dependence on submarine paths. Landlocked networks depend on neighbours for reach to the global market. These are not identical risks, and they should not be forced into a single geopolitical story. Their common feature is that physical diversity is unevenly priced.
Address evidence is one way to reduce that inequality. It lets a smaller provider show that it is not asking for charity or exception; it is asking for acceptance of a documented resource. It also helps customers distinguish a resilient provider from one that merely resells access through a dominant path. The provider with clean evidence can demonstrate that customer endpoints are not hostage to one physical route. That evidence does not create a cable, but it strengthens the commercial meaning of any backup path that exists.
Poor evidence has the opposite effect. It converts market concentration into dependency. A provider may own or lease addresses but still be unable to move them quickly. A customer may have paid for diversity but discover that the address layer was never prepared. A public body may require continuity but find that emergency routing depends on manual approvals from a carrier outside its control. The cable fault exposes a truth that existed before the fault: resilience had been bought at the physical layer but underfunded at the evidence layer.
Public cloud does not remove the address problem
Public cloud is often presented as a resilience answer. Workloads can move across regions, providers can advertise global reach, and enterprises can shift applications away from a local data centre. In a submarine-cable shock, cloud services can indeed absorb demand, provide alternative ingress and reduce dependence on a single facility. But cloud does not remove address continuity. It changes the counterparties that must be persuaded.
Many enterprises and service providers use fixed public addresses because customers, partners and security systems depend on them. Bringing those addresses into a cloud environment, or rerouting traffic to a cloud edge during a disruption, requires proof of authority. The cloud platform does not want to carry a dubious route or become responsible for a contested prefix. It may require holder evidence, route-origin state, letters of authorisation and contact alignment. If the registry file is clear, cloud becomes a practical fallback. If the file is unclear, the cloud becomes another review desk in the middle of a crisis.
Cloud reachability also depends on local paths. An island provider may host workloads in a European region but still need customers to reach that region through a congested or impaired submarine path. A Middle Eastern network may have cloud on-ramps nearby but face route changes through Gulf or Red Sea corridors. A landlocked enterprise may depend on neighbouring transit to reach the preferred cloud region. In each case, physical path diversity and address identity interact. The cloud can host the workload, but the addresses and routing evidence decide how cleanly users arrive.
There is also a bargaining issue. Large cloud providers have strong review systems and risk controls. Smaller networks need to fit into those systems rather than relying on personal familiarity. A coherent RIPE NCC record, matching RPKI state and working contacts make the network machine-readable to a platform. Incoherence forces manual review. Manual review is not neutral: it favours firms with staff, counsel, volume and prior commercial leverage.
This does not mean that RIPE NCC should adapt its ledger to every cloud product. The registry should not become a cloud-admission authority. Its task is more basic: make the evidence around number resources accurate enough that cloud platforms, carriers and customers can make their own decisions quickly. A thin ledger does not set the terms of cloud resilience. It makes those terms less arbitrary for networks that lack scale.
IXPs and enterprise endpoints are continuity surfaces, not the main plot
Internet exchange points matter during cable disruption because they provide places where routes can be shifted, traffic can be localised and alternative paths can be reached. Yet in this article they are not the main story. Routine peering turn-up, IXP admission and transit acceptance deserve their own analysis. In the cable context, IXPs are continuity surfaces. They are among the places where address evidence is consumed under stress.
Consider a provider whose usual international path is impaired and whose best short-term option is to increase traffic over an exchange fabric in a neighbouring market. The exchange may have route-server policies. Peers may filter based on IRR data, RPKI state or known route sets. The provider may announce more specifics to steer traffic away from congestion. Each action requires evidence that the route is legitimate and not a leak. If the evidence is clean, the exchange can act as a resilience amplifier. If not, the exchange becomes another point of friction.
Enterprise endpoints create a similar problem outside the routing community. Banks, airlines, hospitals, energy firms, ports and government services often treat IP addresses as part of their control environment. Supplier allowlists, remote-access rules, fraud controls, certificate inventories and monitoring systems may assume a stable address identity. A submarine-cable shock forces traffic to move while those assumptions remain. The operator must be able to say: the endpoint is the same, the holder remains responsible, the route-origin proof is valid, and the contact path is current.
Disaster-recovery plans often understate this step. They specify backup sites, alternate carriers, cloud regions and escalation trees, but leave address evidence as background administration. That omission is costly. If the emergency plan requires a new origin AS, a more specific prefix, a cloud import or a new upstream, the registry and routing evidence must be rehearsed before the event. Otherwise the plan is a document that assumes away the market's need for proof.
The lesson for operators is operational, but the institutional implication is broader. A common ledger lowers the number of private checks that must be performed during a crisis. It does not remove the need for contracts, route filters, exchange policies or customer approvals. It gives those systems a shared starting point. In a region as varied as RIPE NCC's, that shared starting point is a form of economic infrastructure.
Satellite and mobile fallback are narrow, not universal, substitutes
Satellite connectivity, microwave, emergency mobile capacity and leased terrestrial backhaul can play useful roles when submarine cables are impaired. They may carry management traffic, critical public services, remote sites or limited enterprise failover. For some island and remote markets, satellite can be the difference between degraded service and isolation. But it is not a general substitute for cable capacity, and it does not remove the address-evidence problem.
Satellite fallback often changes latency, throughput, upstream identity and traffic patterns. A network that moves selected services over satellite still has to preserve customer-facing addresses or explain why they have changed. If it uses NAT-heavy arrangements, enterprise customers may lose the direct endpoint identity they expected. If it announces portable space through a different provider, origin evidence must support that choice. If it uses provider-assigned addresses for emergency access, customers may face firewall and allowlist changes at the worst time.
Mobile fallback is similar. A mobile network can keep some users online when fixed or international paths are degraded, and mobile operators may have separate upstream arrangements. But mobile networks frequently use address sharing, carrier-grade NAT and private arrangements that are poorly suited to preserving enterprise endpoint identity. They are useful resilience surfaces, not replacements for well-documented portable address resources.
The danger is that fallback language can create false comfort. A board or public authority may hear that backup connectivity exists and assume continuity has been solved. The engineer knows otherwise. The backup path must carry the right addresses, pass the right filters, satisfy the right customers and leave enough evidence for outsiders to accept the changed route. If the backup path is only raw reachability, it may support messaging and coordination while failing to preserve the services that matter economically.
RIPE NCC's measurement tools can help observers see some aspects of reachability. RIPE Atlas is described as a global network of probes and anchors that measure Internet connectivity, while RIS collects BGP routing data. Those tools are valuable exhibits because they make routing and connectivity more observable. They do not, however, make an ambiguous address record coherent. Observation helps diagnose the shock. The ledger helps reduce the cost of acting on the diagnosis.
Landlocked and island networks pay a higher ambiguity premium
The RIPE NCC service region contains dense European hubs and much thinner edge markets. That variation matters. A network in Amsterdam, Frankfurt, London or Paris can often reach multiple carriers, exchanges and cloud regions with relative ease. A network in a smaller island economy, a remote territory, a conflict-adjacent market or a landlocked state may face a smaller menu of credible paths. For these networks, address ambiguity carries a higher premium because the next-best route is more expensive and less familiar to counterparties.
An island provider may have a second cable but not a second competitive landing ecosystem. It may have satellite for emergency traffic but not enough capacity for normal service. It may have cloud workloads abroad but depend on the same impaired corridor for users to reach them. A landlocked provider may rely on transit through neighbours whose regulatory, commercial or security conditions differ. A small enterprise network may depend on one sponsoring LIR for registry administration and one upstream for international acceptance. In each case, physical dependence and evidence dependence stack together.
This is where a common regional ledger has public-good characteristics. The holder of an address range pays for accurate records, but many others benefit: upstreams, peers, customers, cloud platforms, security teams and emergency planners. During a cable shock, those benefits become visible. Fewer calls are needed, fewer letters must be exchanged, fewer filters need emergency exceptions, and fewer customers must be asked to suspend their normal controls. The ledger reduces crisis transaction costs across parties that may never meet.
The effect is regressive when the ledger is weak. Large firms can buy manual review. They can place engineers inside major exchanges, maintain relationships with cloud platforms and retain counsel for documentation. Smaller operators cannot. They need common evidence precisely because they lack private leverage. If the ledger is stale or incoherent, the market price of resilience rises most for those least able to pay.
This does not make RIPE NCC responsible for every inequality in the region. Geography, investment, regulation and politics shape cable resilience. But the registry can avoid adding avoidable friction. Its record should not become another point where edge networks pay extra for ambiguity created by poor administration. A thin, accurate ledger is not dramatic, but for small and exposed markets it can be a meaningful equaliser.
Address continuity is spare capacity in institutional form
The cable industry has a familiar language for spare capacity. Operators buy diverse paths, unused wavelengths, backup cross-connects, secondary transit and cloud-region options because they know the primary path can fail. Address continuity is the same kind of reserve, but it sits in institutions rather than fibre. It is the pre-positioned ability to prove, under stress, that a network can keep using its public identity while the physical path changes.
This reserve has to be built before the incident. A network cannot easily create trusted holder evidence, clean origin proof, working reverse DNS and credible contacts at the exact moment when a major route is impaired. It can update records then, but counterparties may not instantly accept hurried changes. They may suspect fraud, hijack risk or emergency improvisation. In the best case, they ask for extra review. In the worst case, they reject the route or delay the customer's migration. The economic lesson is that registry evidence has inventory value. It is a stock of trust available for use when time is scarce.
The inventory analogy also clarifies the cost of underinvestment. A firm that refuses to buy spare capacity may look efficient during normal months and fragile during an outage. A firm that leaves its address evidence stale may look administratively lean during normal months and expensive during a cable shock. In both cases, the apparent saving is a transfer of cost to the future. The difference is that poor evidence often hides better than missing capacity. A board can see whether a second circuit exists. It may not see whether the ROA maximum length fits a realistic emergency route, whether the route set is maintained, whether a cloud platform will accept the prefix, or whether an enterprise customer will recognise the same endpoint after failover.
This is why address evidence belongs in procurement and audit discussions, not only network engineering. A buyer of connectivity should ask whether the provider's public addresses can move across planned backup paths without losing legitimacy. A bank choosing a disaster-recovery supplier should ask whether fixed endpoints have current RDNS and contact evidence. A public agency using cloud failover should ask whether the address identity survives a move across regions or providers. An investor looking at a network should ask whether scarce IPv4 resources are operationally portable or merely recorded somewhere. These are not abstract governance questions. They affect the price and speed of recovery.
The same point applies to insurance and contractual penalties. If a provider has paid for physical diversity but cannot prove address continuity, the expected loss from a cable shock is higher than the network diagram suggests. If a customer has strict endpoint controls, the provider's evidence quality determines whether the customer sees a managed failover or a security event. If a platform uses automated filters, the provider's RPKI and route data determine whether backup reachability is accepted in minutes or contested over days. The address file therefore influences the economic value of every other resilience investment.
RIPE NCC's contribution is to make this reserve credible without owning it. The registry cannot guarantee that a carrier will accept a route, that a cloud platform will approve a range, or that a customer will waive internal controls. It can make the basic evidence stable enough that each of those parties starts from a common file. That is a modest function in legal terms and a large function in economic terms. It turns many private trust questions into a shared reference.
The risk of overreach returns here. Because address continuity has value, powerful actors may be tempted to use registry records as leverage in disputes over cable access, sanctions, procurement, market entry or commercial rivalry. That temptation should be resisted. A ledger that becomes a bargaining weapon loses its value as common evidence. The better standard is boring and strict: accurate holder records, clear authorisation, live contacts, reliable RDNS and correction paths that are neither theatrical nor arbitrary. Spare capacity in fibre helps only when it can be lit. Spare capacity in evidence helps only when it is trusted.
Cable repair windows expose hidden balance-sheet risk
A cable repair window is an economic interval. During that interval, a network pays for alternative capacity, accepts performance degradation, spends staff time, manages customers and absorbs reputational risk. The longer the uncertainty, the more expensive the incident becomes. Address evidence affects the length and price of that interval.
If a provider can immediately move traffic through a backup origin and show that the route is authorised, the repair window is mainly a physical and capacity problem. If it must first fix a ROA, update a route record, recover control of reverse DNS, replace stale contacts and persuade an upstream that the holder evidence is current, the repair window becomes a governance problem too. The seabed repair may take the same number of days, but the service impact and commercial cost differ.
This hidden balance-sheet risk is often omitted from cable-resilience planning. Capital committees can see the cost of backup transit, cross-connects and cloud regions. They can price service-level penalties and insurance. They are less likely to price the cost of registry ambiguity. Yet the ambiguity can determine whether the backup investment works. A second path is worth less if the address range cannot be accepted across it quickly.
The valuation issue is acute for IPv4. A portable IPv4 block with clean evidence is a productive asset. It supports customer portability, cloud admission, multi-homing and disaster recovery. The same block with unclear holder data, stale contacts, inconsistent origin state and poor reputation is worth less, not because the numbers differ, but because the market must spend more to believe them. Cable shocks reveal that discount. Buyers, lenders, customers and insurers should treat registry evidence as part of operational due diligence.
That does not require a grand theory of address ownership. The practical point is narrower. In a scarce-address economy, records have option value. They let a network act under pressure without renegotiating basic authority. RIPE NCC's ledger should preserve that option value by remaining accurate and final within its proper lane. If the registry becomes discretionary, market actors worry that continuity can be interrupted by administrative judgment. If it becomes careless, they worry that continuity cannot be trusted. Either failure raises the cost of cable risk.
Registry finality lowers crisis transaction costs
The deepest economic value of a registry is not that everyone loves it. It is that many parties can use it without first agreeing on everything else. A carrier, cloud platform, exchange route server, enterprise customer and security desk may have different incentives. They may operate in different jurisdictions and languages. They may disagree about pricing, liability, sanctions exposure, service quality or market power. Yet they can still consult a common record to answer a narrower question: who is the recognised holder of this resource, and what evidence supports the announced use?
During a cable shock, this common record reduces the number of bilateral inquiries. An upstream still manages its own filters. A cloud provider still applies its own controls. A customer still decides its own risk tolerance. But each can begin from the same evidence rather than forcing the operator to recreate its authority in private. The result is lower crisis transaction costs.
Finality matters because uncertainty is contagious. If holder evidence can be easily disputed, if old contacts remain live, if transfer history is opaque, if RPKI state is detached from operational plans, then every counterparty must decide whether the ambiguity is acceptable. Some will refuse; others will ask for indemnities; others will wait for manual review. In a cable incident, waiting is costly. The registry does not need to guarantee every commercial claim. It needs to make the narrow facts it is responsible for reliable enough that private actors can proceed.
Thinness is also part of finality. A registry that tries to decide cable economics, landing competition, traffic routing or emergency prioritisation would invite pressure it cannot properly resolve. Governments, incumbents, challengers, cloud platforms and customers would seek registry leverage for disputes that belong elsewhere. The ledger would become a policy gate. That would damage the very neutrality that makes it useful as common evidence.
The correct institutional posture is therefore disciplined. RIPE NCC should protect uniqueness, record accuracy, route-origin proof, reverse-DNS delegation and contact continuity. It should provide correction paths that work before crises and remain usable during them. It should help the market identify responsibility without deciding commercial winners. It cannot make a Red Sea route safe, add a Baltic repair ship, open a landing station or reduce terrestrial backhaul prices. But it can prevent weak records from making those physical problems more expensive.
What operators should rehearse before a cable shock
Operators in cable-exposed markets should treat address continuity as part of disaster recovery, not as a back-office task. A useful rehearsal starts with the prefix list. Which ranges must remain reachable for customers, management systems, public services, cloud ingress, payment interfaces, mail and monitoring? Which are portable, which are provider-assigned, and which depend on a single upstream? Which prefixes might need more-specific announcements during congestion? Which origins are authorised today?
The next step is route-origin proof. ROAs should match the intended emergency origins and maximum lengths. If a backup carrier or cloud platform may originate the range, the evidence should be prepared before the incident. Route filters and route sets should be checked against the same scenario. This is not an invitation to make all authorisations broad and careless. Overbroad evidence can create its own risk. The point is to align authorisation with realistic emergency plans.
Reverse DNS and contact evidence should be part of the same rehearsal. Who controls each delegation? Do the contacts reach a staffed desk? Are abuse mailboxes monitored during weekends and holidays? Do customer support teams know which address evidence will be presented if a bank, government body or platform asks why traffic has moved? Are old provider names, merger residues or stale consultant contacts still visible? If so, the repair should happen before the cable fault, not during it.
Cloud and enterprise dependencies require a separate inventory. Which cloud services use bring-your-own-IP or fixed allowlists? Which customers have contractual rights to address continuity? Which public-sector or regulated customers require notification when paths change? Which geolocation, fraud or mail systems are likely to react badly to sudden route changes? The registry file will not answer every question, but it should not be the weak link when those questions arise.
Finally, operators should test evidence retrieval. In a crisis, documents hidden in one employee's mailbox are not resilience. Public records, current portal access, known authorisation chains and rehearsed escalation contacts matter. The aim is not bureaucratic neatness. It is to reduce the number of unresolved trust questions at the moment when physical capacity is already scarce.
What RIPE NCC should and should not do
RIPE NCC's role in submarine-cable resilience is bounded. It should not plan cable routes, allocate repair ships, choose which customer traffic matters most, police landing-station pricing or declare which reroute is commercially reasonable. Those functions belong to operators, markets, regulators, customers and, in some cases, security authorities. Expanding the registry into those choices would turn a ledger into a gatekeeper.
What it should do is less glamorous and more durable. The registry should maintain records that make resource continuity intelligible. Holder data should be accurate. Contact fields should not become abandoned furniture. RPKI and ROA systems should remain reliable and understandable. Reverse-DNS delegation should be operationally clear. Correction processes should be fast enough that stale evidence does not survive into the next shock. Measurement and routing-information services should help operators and observers understand path changes without being mistaken for authority over traffic choices.
This thin role is not weak. It is strong precisely because it avoids false missions. A cable shock creates pressure for someone to decide. Customers want restoration. Governments want assurance. Incumbents want stability. Challengers want access. Cloud platforms want risk control. A registry that starts deciding among these claims will be drawn into commercial and political conflicts beyond its competence. A registry that keeps the ledger accurate lets each of those parties make decisions with lower evidence cost.
There is a useful analogy with payments. A settlement ledger does not build roads, insure warehouses or choose suppliers. But if the ledger is unclear during a crisis, every trade becomes harder. The internet number-resource ledger has a similar role for network continuity. It does not move the traffic. It makes the claim to move the traffic easier to verify.
The governance risk is therefore two-sided. Underreach leaves operators with ambiguous evidence during cable shocks. Overreach makes the registry a discretionary authority over resilience markets. The right institutional line is thin coordination: protect uniqueness, accuracy and continuity, and resist the temptation to convert scarcity or crisis into landlord power.
Watchpoints for 2026-2029
Several signals will show whether the economics of submarine-cable and address risk are improving in the RIPE NCC region. The first is whether operators in exposed markets treat RPKI and ROA state as part of resilience planning rather than as a compliance side project. If emergency origins, maximum lengths and backup carriers are not reflected in tested evidence, the next cable shock will again convert routing into manual persuasion.
The second is whether public-cloud and enterprise disaster-recovery plans include address proof. Cloud regions and backup sites are easy to list in a slide deck. It is harder to show that address ranges can be moved, accepted and recognised without delay. Providers that serve banks, public agencies, ports, hospitals, energy firms and national platforms should be able to demonstrate this continuity without improvisation.
The third is whether small and edge-market operators can use registry evidence without hiring large teams to translate it. If RIPE NCC records, RPKI tooling, reverse-DNS administration and contact updates are intelligible only to well-staffed firms, then the ledger will amplify scale advantages. The test is whether a competent smaller operator can maintain evidence that counterparties accept during a shock.
The fourth is whether cable-resilience debates avoid asking the registry to solve physical-market failures. Landing concentration, repair capacity, geopolitical chokepoints and backhaul pricing are serious issues. They deserve investment, competition policy, procurement discipline and security planning. But they should not be laundered through number-resource administration. RIPE NCC can make a resilient path easier to use; it cannot create the path.
The final watchpoint is whether market actors begin to price evidence quality. Buyers of IPv4, lenders against network assets, enterprise customers and insurers should ask not only whether address resources exist, but whether they can survive a route change. Clean holder evidence, origin proof, RDNS control and live contacts should reduce risk. Stale evidence should carry a discount. That market discipline would reinforce the registry's thin role rather than replacing it with discretionary control.
There is one more practical signal: whether post-incident reviews distinguish capacity failure from evidence failure. After a cable disruption, the easy metrics are latency, packet loss, repair dates, added transit and customer complaints. The harder questions ask why a backup route was accepted slowly, why a cloud migration waited for proof, why a customer endpoint lost standing, why a route filter rejected a prefix, or why a contact chain failed. If those questions are folded into a generic outage report, the same weakness will survive into the next incident. If they are recorded separately, operators can see which costs came from the sea and which came from the file.
That separation matters for accountability. A provider should not blame the registry for a missing cable path. A registry should not blame the sea for stale records. A cloud platform should not treat every emergency route change as suspicious when the public evidence is already coherent. A customer should not assume that all resilience claims are equal when one provider has rehearsed address continuity and another has merely drawn a second line on a map. Better evidence does not remove commercial judgment; it makes judgment less theatrical and more comparable.
The most useful outcome would be cultural rather than dramatic. Operators would treat registry hygiene as resilience work. Customers would ask for evidence that endpoints can survive rerouting. Cloud platforms and carriers would reward clean proof with faster acceptance. RIPE NCC would remain boring in the best sense: narrow, accurate, reachable and hard to bend into somebody else's commercial fight. That is the kind of institution that matters most when infrastructure fails. It is not the actor that dominates the incident. It is the actor whose ordinary discipline stops the incident from spreading into unrelated trust disputes.
Submarine cables will keep failing. Anchors, earthquakes, conflict risk, repair delays, chokepoints and simple bad luck will remain part of the internet's physical economy. The RIPE NCC region, with its dense hubs and exposed edges, will keep living with that reality. The registry cannot make the sea safer. Its duty is to make the address layer less fragile when the sea interrupts the path. If it does that well, a cable fault remains a hard engineering and capacity problem. If it does it poorly, the same fault becomes a more expensive crisis of trust.

