Summary

  • University legacy IPv4 space is mission infrastructure with capital value: it was often allocated for research and education in a public-good era, but it now sits inside a scarce market.
  • The RIPE NCC's strongest role is ledger discipline: durable registration, reliable contacts, RDNS, RPKI support and predictable transfer records, not judgment on campus virtue.
  • University holdings differ from corporate legacy holdings because academic autonomy, NREN ties, medical schools, libraries, scientific instruments, student networks and grant-funded collaborations create hidden continuity risks.
  • Fairness pressure is real: new networks face scarcity while old campuses may hold valuable space, yet forced redistribution would damage trust, invite capital-control politics and make research continuity less secure.
  • Sale and lease options should be mission decisions, not windfalls; endowment pressure and cloud migration can make monetization attractive while hiding future dependency costs.
  • Proper stewardship requires a campus address council, a public-interest charter, dependency mapping, contact and abuse hygiene, RDNS repair, ROA discipline, affiliate checks and continuity drills.
  • The ethical bargain is whether universities can turn a public-good-era resource into present mission value without weakening the registry ledger or research networks.

The old campus range enters the budget meeting

The first serious conversation rarely begins with Internet history. It begins with a review of research computing, a cyber-risk audit, a cloud migration plan, a data-centre exit, an endowment stress case, or a capital request for laboratories that have become more expensive to run. A chief information officer brings a spreadsheet of public IPv4 ranges. The general counsel asks who is allowed to speak for the university. The research-computing director asks which labs still depend on static public addressing. The finance office asks a simpler question: if the space can be sold or leased, how much is it worth?

That question changes the room. An old address range that once looked like background infrastructure suddenly looks like a balance-sheet candidate. It may support mail servers, authentication, library systems, residence networks, instrument controllers, high-performance computing, security sensors, health-science affiliates, data repositories and collaborative platforms that no single office fully owns. It may also have a market value large enough to interest a treasurer facing deferred maintenance, energy bills, scholarship commitments, or the political difficulty of asking for more public money. The same prefix can be a working part of academic life and a tempting pool of private capital.

University legacy space is therefore not a minor footnote to IPv4 scarcity. It is one of the clearest tests of whether Internet number governance can respect history without freezing it. Many universities and research institutions connected early because the Internet was a tool of scholarship before it became a mass retail platform. Their address allocations were not designed as tradable financial instruments. They were part of a public-good bargain: campuses would build, test, teach, connect, publish, and share. Decades later, scarcity has made those same numbers valuable in a market that did not exist when many allocations were made.

The RIPE NCC region makes the problem unusually layered. The service area spans Europe, the Middle East and parts of Central Asia. It contains long-established universities, national research and education networks, old technical institutes, public universities, charitable foundations, medical schools, observatories, cross-border research consortia and campuses whose legal status differs sharply by country. The registry context is consistent enough to make ledger standards meaningful, but the institutional contexts are varied enough to make any simple moral rule dangerous.

The right starting point is neither indignation at campus holdings nor reverence for the past. It is institutional economics. Address space has become scarce capital, but capital is not self-legitimating. The ability to sell or lease a range depends on evidence, continuity, clean records and market confidence. The ability to retain it depends on stewardship, mission need and credible governance. The RIPE NCC's role is to maintain the ledger and evidence path. The university's role is to decide, with public-interest discipline, how a historic network resource serves present scholarship, students and society.

Scarcity changed the meaning of a public-good allocation

The early academic Internet was built in a world where the central problem was not a high price for IPv4 addresses. The problem was how to connect researchers, machines, disciplines and institutions quickly enough to make distributed computing and collaboration useful. Public addressing made sense because reachability was part of the design culture. A laboratory server, a departmental machine, a library catalogue, a mail host or an experimental system could be reachable because the network was supposed to make interaction easy, not to make every endpoint a metered commodity.

That allocation culture produced holdings that can look extravagant from the vantage point of 2026. A modern campus may run much of its estate behind private addressing, federated identity, outsourced hosting, cloud platforms and provider-managed services. Yet the registry may still show a university with historic IPv4 space that reflects an earlier network design. The contrast invites criticism. Why should a campus retain valuable public numbers while new access providers, hosting firms, content firms and smaller networks face higher costs? The criticism has force, but only if it also respects the historical bargain that created the resource.

The resource was not born as a speculative asset. Early academic allocations often reflected trust in institutions that were building the network itself. Universities provided users, operational staff, protocol work, technical experimentation, documentation, education, software, regional connectivity and tolerance for the messy early phase of the Internet. National research and education networks helped bind campuses into larger systems. Research laboratories and technical faculties trained the people who later built commercial networks. In that setting, address space was an input to collective construction.

Scarcity did not erase that origin. It changed the opportunity cost. The RIPE NCC announced in November 2019 that its available IPv4 pool had been exhausted and that recovered addresses would be distributed through a waiting-list process under constrained conditions. That fact did not create the market from nothing, but it confirmed the post-abundance era. A campus that keeps a large range dark is no longer merely keeping an old technical allocation. It is choosing to hold a scarce resource while others pay to acquire comparable space or engineer around shortage.

Yet a new opportunity cost is not proof of waste. A prefix that appears quiet may be a reserve for campus independence, a dependency anchor for research systems, a buffer against provider lock-in, a continuity asset for incident response, or a hard-to-renumber part of a health-science network. A university may also have a legitimate interest in retaining strategic numbering even while reducing direct use. The cost of losing control may not be visible until the next cyber incident, grant platform migration, cloud exit, vendor dispute, network consolidation, or research collaboration that needs stable reachability.

This is why treating university legacy space as ordinary surplus property misses the key feature of Internet numbering. The value of a prefix depends on registry recognition, routing confidence, contact accuracy, reverse DNS, reputation and clean authority. A university cannot make the global network trust a sale simply by passing a board motion. Nor can a buyer fully price a range without confidence that the holder can act. Scarcity gives the range value; evidence makes the value usable.

Universities are not just old enterprises with lecture halls

The university case must be separated from the corporate legacy-holder case. A company may hold early address space because of old research operations, acquisitions, industrial networking, data centres or pre-cloud architecture. Its governance challenge is often title, auditability, tax treatment and custody after corporate change. A university has those problems too, but it adds a different institutional structure: mission, autonomy, grant funding, public trust, academic freedom, student service, research continuity and a habit of distributed authority.

Campuses are federations. A central IT group may operate the backbone, DNS, mail, identity, wireless, data centres and security monitoring. A computer-science faculty may run experimental systems. A medical school may sit under separate compliance regimes. A physics group may operate instruments whose vendor documentation mentions a fixed address from many years ago. A library may maintain public digital collections. A residence-life team may face student-network demand closer to an access provider than to a corporate office. A research institute may serve visiting scholars whose home institutions know the campus by a persistent network range.

This means that use cannot be inferred from a neat central map. The public routing table may show only part of the dependency. The address plan may show old departmental assignments without showing remote collaborators, firewall allowlists, instrument controllers, licence servers, genomic pipelines, astronomy feeds, museum archives, library proxies, alumni platforms or data repositories. Some dependencies are human: a retired professor, a lab technician, a grant administrator, a vendor engineer, a hospital network lead, or a student-services contractor may know why a range matters long after the central office lost the original file.

Academic autonomy makes this harder. Universities encourage local initiative because discovery depends on it. Research groups assemble systems from grant funds, shared facilities, graduate-student labour, vendor equipment and short-term collaborations. A network pattern created for a three-year project can become a decade-long platform. A departmental server can become a reference site for a field. A small sensor network can become part of a climate, marine, medical or physics data chain. In a corporate hierarchy, central command may eventually impose standardisation. In a university, standardisation competes with scholarly freedom and the risk of disrupting work no one wants to own.

The result is a transaction-cost problem. Before a campus can sell, lease, return, shrink, route differently or certify a legacy range, it must discover who depends on it. That discovery is expensive because knowledge is scattered and incentives are uneven. The finance office sees cash. The security office sees attack surface. The network office sees stale entries. Researchers see continuity. Legal sees authority risk. Students see service reliability. External collaborators see a stable endpoint. None of those views is false. The governance task is to combine them without allowing the loudest budget pressure to define the whole resource.

NRENs make campus space part of a wider research fabric

University legacy space is also shaped by national research and education networks. In many countries in the RIPE NCC region, NRENs connect universities, research institutes, schools, libraries, supercomputing centres, laboratories and cross-border science platforms. They are not merely upstream providers in a commercial sense. They are trust networks, engineering communities and policy environments built around education and research. They often carry specialist traffic, federated identity services, security coordination, high-capacity links and collaboration platforms that do not map neatly onto retail Internet service.

That relationship matters because a university address range may be tied to routing, filtering, incident response, identity assumptions and collaborative trust across an NREN environment. A prefix may be announced through an NREN, referenced in access controls, watched by a sectoral security team, or used to identify traffic from a recognised campus. Moving, selling or leasing parts of that space can therefore have effects outside the university's own data centre. A campus may think it is monetizing surplus. Its NREN may see new operational complexity, reputation risk or incident-response ambiguity.

This does not mean the NREN should be able to veto every university decision. It means the dependency chain has to be visible before a decision is treated as complete. If a block has long been routed through a research network, the campus should know which parts are still used for teaching, research, library access, identity federation, peering, science platforms and joint facilities. The NREN should know whether a proposed change affects route filters, reverse DNS, incident contacts, RPKI records, mailing lists, network monitoring or research services. Both sides should know when a prefix that looks local in registry data functions as part of a national research fabric.

The RIPE NCC's ledger is relevant here because it supplies the common reference point. The RIPE Database, route records, inetnum records, contacts, maintainers, reverse delegation and RPKI services provide signals that others use to interpret authority and reachability. These records are not a substitute for campus governance, but they are the public coordination layer. When they are stale, every NREN, collaborator, buyer, security team and operator pays a search cost. When they are clean, local decisions are easier to validate.

The NREN relationship also weakens crude fairness claims. A university that appears to hold a large range may, in practice, support research traffic, federated services and shared facilities far beyond its immediate student count. Conversely, a campus may invoke NREN history while leaving large ranges unused and unmanaged. The conclusion cannot be read from the size of the allocation alone. It has to be built from use, dependency, governance and evidence.

The fairness case is serious, but forced redistribution would be worse

No credible analysis can ignore the fairness problem. New networks, small hosting firms, access providers, community networks and growing digital services face real IPv4 costs. Some operate with carrier-grade NAT, fragmented address purchases, waiting lists, provider dependency, leasing exposure or difficult transition plans. They may look at historic university holdings and see privilege fossilized into a registry entry. The complaint is not merely emotional. Scarcity converts old allocations into power, and power deserves scrutiny.

But scrutiny is not confiscation. Forced redistribution would damage the very institutional trust that makes the registry useful. If a regional registry or policy community turned historic academic holdings into a pool that could be seized because other users have stronger present demand, every holder would have reason to treat the ledger as a political threat. Evidence updates would become defensive. Transfers would move into more opaque private channels. Campuses would delay engagement. Research networks would fear that accuracy could invite penalty. The market would not become fairer; it would become more secretive and more costly.

The fairness question is better framed as stewardship. A university should not be shamed for holding space that supports research, education, student services, health science, libraries or continuity. It should be challenged if it cannot explain why a scarce resource remains unused, unmanaged or quietly leased without safeguards. A campus should not be forced to sell a reserve that protects mission-critical independence. It should not be allowed to hide behind history while ignoring contact failures, routing confusion, abuse reports or dormant ranges that could support mission value elsewhere.

Transaction-cost economics helps clarify the issue. A forced reallocation regime might move addresses from apparently low-value to higher-value users, but it would also raise the cost of proof, dispute, appeal, valuation, compensation, political bargaining and legal challenge. It would invite universities to spend resources defending holdings rather than documenting and optimizing them. It would force the RIPE NCC toward discretionary power over academic mission, a role for which registry institutions have neither the knowledge nor the legitimacy. The net cost could exceed the supposed efficiency gain.

A better approach lowers the cost of voluntary, evidence-based change. If universities know how to prove authority, clean records, map dependencies, segment reserves, prepare transfers, and explain public-interest use of proceeds, more genuinely excess space can enter the market without institutional coercion. If buyers know that the RIPE NCC's evidence standards are stable, they can price transactions more cleanly. If NRENs and campus councils know how to review mission risk, fewer decisions will be made by panic or opportunity alone. Fairness then comes through disciplined stewardship rather than administrative seizure.

This distinction matters for legitimacy. The RIPE NCC's credibility rests on being a reliable regional ledger, not a moral court for historic allocations. Universities' credibility rests on treating legacy space as a public-good-era inheritance with present economic value, not as a private treasure chest. Neither side should solve its legitimacy problem by expanding the other's mandate.

Market value creates temptation, especially when budgets tighten

The pressure to monetize does not need to be cynical. Many universities face severe budget constraints. Energy costs rise. Security spending rises. Research computing becomes more expensive. Students expect digital services that work everywhere. Libraries need preservation platforms. Buildings need renovation. Public funding may be unstable. Endowments may be politically constrained, donor-restricted or exposed to market cycles. A large IPv4 range can therefore look like one of the few assets that can be converted into money without closing a programme or raising tuition.

That attractiveness is precisely why governance must slow the decision down. A one-time sale can fund visible needs while eliminating a long-term option. Once a range is transferred, the campus may never regain comparable address independence at a reasonable cost. Future cloud-exit strategies, security segmentation, research platforms, public services, medical collaborations or specialised hosting may depend on buying or leasing space back under weaker terms. A budget crisis can make the present look more valuable than the future because the future has no advocate in the meeting.

Leasing can look like the compromise: retain the space, earn revenue, and recover it later. In practice it is often the harder option. A lessee's routing, abuse profile, reputation, geographies, sanctions exposure, email behaviour, customer base, security controls and downstream use can affect the reputation of the space and, by extension, the university. The holder may retain registry visibility while operational control shifts. If the leasing chain is opaque, the campus can become associated with traffic it does not understand. Recovering a range after a lease may involve reputation cleanup, routing coordination, stale records, contract disputes and customer migration.

Endowment pressure adds another subtle risk. Trustees may be used to thinking in terms of portfolio diversification, liquidity, income and capital preservation. Legacy IPv4 space does not fit that model cleanly. It is not an investment acquired for return. It is a network resource inherited from a public-good era, dependent on registry recognition and operational stewardship. If it is folded into endowment logic too quickly, the university may ask only how to maximize proceeds. The better question is how any monetization serves the mission and what future dependency the campus is accepting in exchange.

Outsourcing and cloud migration can also distort the analysis. A university that moves services to commercial platforms may conclude that its own public space is less necessary. That may be true for some services. But cloud dependency has strategic costs: provider lock-in, bring-your-own-IP complexity, exit friction, data-sovereignty questions, incident response, pricing leverage and the risk that a future research platform needs network independence. The fact that today's hosted services do not use a campus range does not prove the range lacks option value.

A disciplined sale decision should therefore start with a mission review before price discovery. Which subranges are active? Which are reserved? Which support identity, mail, research, medical, library, instrumentation or collaboration? Which are dark but strategically useful? Which can be renumbered? Which carry poor reputation? Which have RDNS or route records that need cleanup? Which affiliates claim reliance? Which NREN services assume the space? Only after those questions have evidence should a campus decide whether a transfer is mission-consistent.

Stewardship is a technical discipline before it is a public statement

The language of stewardship can become vague if it is not tied to operational controls. For university legacy space, stewardship begins with boring evidence. The holder must know who is registered, who can authorize change, which legal name appears in the registry, which maintainers control records, which contacts work, which abuse mailbox is monitored, which subranges are routed, which origin ASNs are intended, which ROAs exist or should exist, how reverse DNS is delegated, which services depend on each range, and which external parties manage any part of the estate.

Contact hygiene is the first test. A campus that cannot receive and act on notices about its space cannot credibly claim to be a steward. Universities have staff turnover, retirements, reorganisations, outsourced help desks, shared mailboxes and departmental autonomy. An address record that points to a retired engineer or a dead domain is not a harmless relic. It raises incident-response costs for everyone else and makes later transfer or record repair harder. The same applies to abuse handling: a university does not need to behave like a commercial provider, but it does need a working path for reports tied to its space.

Reverse DNS is another indicator of seriousness. Old delegations can reveal abandoned domains, former departments, long-closed labs or third-party arrangements nobody remembers. Cleaning them is not cosmetic. Reverse DNS affects diagnostics, reputation, mail handling, research services and the ability of outsiders to understand a network. A campus that plans to sell, lease or retain space should know whether its reverse delegations reflect current use. If the delegation is shared with an NREN or service provider, the responsibility path should be documented rather than assumed.

RPKI and route-origin discipline are now part of stewardship. A university should know which prefixes it announces, through which ASNs, under which service relationships, and with which route origin authorizations. A missing ROA is not always evidence of negligence; deployment histories vary, and legacy arrangements can complicate certification. But a campus that ignores origin validation while routing valuable legacy space accepts unnecessary risk. A wrong ROA can be as harmful as none. Route security is not a slogan. It is a maintained relationship between intent, registry data and live routing.

Dormant subnets need their own category. They should not be treated automatically as saleable, because they may be reserves or hidden dependencies. Nor should they remain unexamined. A dormant range should be tagged with a reason: strategic reserve, decommissioned pending review, unavailable due to legacy dependency, held for research continuity, candidate for internal reclamation, candidate for external transfer, or unsuitable due to reputation or authority uncertainty. Without such tags, silence becomes a governance substitute.

These controls are not a bid to make campuses bureaucratic for its own sake. They reduce transaction costs. They make future decisions faster and safer. They protect research continuity. They reduce abuse friction. They help NRENs coordinate. They make transfer markets less opaque. They allow a board to distinguish mission reserve from archival clutter. Stewardship is therefore not the opposite of liquidity. It is the condition under which liquidity, retention or leasing can be justified.

Medical schools, libraries and instruments reveal hidden reliance

The most fragile university dependencies often sit outside the central network narrative. Medical schools are a prime example. In some countries, a university owns or controls teaching hospitals; in others, it collaborates with health systems under separate legal and security regimes. Research, clinical trials, imaging, genomic data, laboratory platforms and teaching systems can all intersect with campus networking. Even where patient care and academic research are separated, public addresses may appear in vendor systems, VPNs, secure data exchanges, laboratory controllers, collaborator allowlists or audit documentation.

This does not mean every medical-school dependency justifies retaining a large range indefinitely. It means the dependency must be investigated with the right people in the room. A central IT group may not know that a genomics pipeline, imaging archive, research registry or specialist instrument relies on a fixed address. A hospital affiliate may not understand that a university is considering a sale. A vendor may treat renumbering as a billable project with clinical and compliance review. A grant may have data-delivery commitments that assume stable endpoints. The cost of disruption can be far higher than a simple routing change suggests.

Libraries create a different kind of hidden reliance. University libraries run catalogues, repositories, digitized collections, proxy services, archival systems, institutional publishing platforms and access gateways for licensed resources. Their mission is public as well as campus-facing. Many have long memory because collections and identifiers persist. IP-based access may be less elegant than federated identity, but it remains common in parts of the scholarly publishing ecosystem. A shift in campus addressing can therefore affect access to journals, archives, databases, digital collections and inter-library services in ways that are visible only after users complain.

Scientific instruments are even less legible to finance offices. Microscopes, telescopes, spectrometers, field sensors, accelerators, marine instruments, environmental stations, observatories and high-performance computing interfaces may run for many years. They may depend on vendor software that was never designed for frequent renumbering. They may be placed at remote sites, linked to collaborators, or maintained by small technical teams. An address range that appears dormant from the centre may support scheduled data pulls, remote maintenance, calibration, or external access windows. The network dependency may be intermittent but mission-critical.

Student networks add a more ordinary but politically salient layer. Residence halls, campus Wi-Fi, learning platforms, health services, payment portals, examination systems, printing, career services and alumni transitions all create reputational pressure. Students do not care whether a failure arises from a prefix transfer, a stale allowlist or a vendor security rule. They experience the university as unreliable. A decision that converts address space into revenue while causing service friction can therefore shift cost to students, staff and help desks.

The lesson is that hidden reliance is not an argument against change. It is an argument against shallow change. Universities can retire old dependencies, move services, renumber systems, adopt IPv6, consolidate ranges and release genuinely excess space. But the work must be sequenced. A sale should be the conclusion of a dependency review, not the trigger that reveals what was missed.

Alumni spinouts and affiliated institutes require hard boundary work

Universities produce companies, foundations, research centres and joint ventures. Some are born in laboratories. Some use university infrastructure while they mature. Some are backed by alumni, professors, hospitals, venture funds or public research grants. Some remain on campus networks longer than anyone planned. Others leave but keep historical dependencies, domains, contacts or address assumptions. Legacy IPv4 space can become tangled in these boundary cases.

The economic problem is straightforward: a resource held for public-good academic purposes should not quietly become subsidized infrastructure for private capital unless the relationship is explicit, authorized and fair. A spinout may have legitimate transitional needs. It may also have investors, customers and commercial aims that make continued use of university numbering inappropriate. A research institute may be mission-aligned but legally distinct. A foundation may share facilities but not governance. A medical affiliate may have public-health value but separate risk. The boundary cannot be guessed from a department name.

Registry evidence alone will not solve this. A RIPE Database record may show the university or an affiliated name. It will not explain whether a startup's use is authorized, whether a service agreement exists, whether the range can be reclaimed, or whether the affiliate has authority to make routing changes. That is campus governance. The university must maintain an internal register of external or semi-external use: who uses the space, under what agreement, for what duration, with what security controls, with what abuse path, and with what exit plan.

This is especially important before leasing or transfer. A campus might discover that a range considered idle is used by a former lab now operating as a company. If the company has no formal right, the university has a governance problem. If the company has a formal right, the campus has a contract and continuity problem. If the company announces the space through its own provider, the campus has a routing and reputation problem. If the company has customers depending on the range, the campus has a transition problem. None of these can be solved by treating the prefix as a clean financial asset.

There is also a fairness issue inside the university. If one spinout or affiliate enjoys long-term access to scarce legacy space while others must buy connectivity on the market, the campus may be allocating hidden value without review. That can distort commercialization, alumni relations and technology-transfer policy. A campus address council should therefore include technology-transfer and legal expertise, not just network engineers. The question is not only whether the route works. It is whether the arrangement is legitimate.

The RIPE NCC should preserve the ledger, not judge academic virtue

The RIPE NCC's institutional role is central but bounded. It maintains registration services for the region, including data that network operators, resource holders, researchers, security teams and buyers rely upon. It supports mechanisms such as the RIPE Database, reverse DNS delegation and RPKI services under defined arrangements. It administers transfers and registry updates according to policy and evidence requirements. It operates in a post-exhaustion world where IPv4 value is obvious. That combination creates pressure for the registry to solve problems that belong partly elsewhere.

The temptation is to ask the RIPE NCC to become an arbiter of academic virtue. Did a university deserve its early allocation? Has it used the space enough? Is its sale consistent with public purpose? Are its research claims sincere? Should a medical school count more than a library? Should a wealthy university face more pressure than a poorer one? Should an NREN's view outweigh a campus board's view? These are real questions, but they are not questions a registry can answer without becoming a discretionary capital authority.

The registry should instead insist on evidence where evidence is its mandate. Is the holder properly identified? Are legal changes documented? Are authorized contacts clear? Are registry updates requested by the right party? Are transfer requirements met? Are reverse delegations and related records maintained through proper channels? Are resource certificates tied to legitimate control? Are policy requirements applied predictably? These questions protect the ledger. They do not require the RIPE NCC to grade a university's budget ethics.

This boundary protects universities as well as the registry. If the RIPE NCC stays within ledger discipline, campuses can engage without fearing that accurate records will trigger a moral review of their historical holdings. If it drifts toward discretionary judgment, campuses may become defensive, especially where public politics around university wealth and public funding are already tense. A registry that appears to ration legacy space by perceived merit would invite litigation, lobbying and policy capture. It would also create a dangerous precedent for other categories of historic holder.

At the same time, bounded registry power does not excuse campus neglect. A university should not use the ledger boundary as a shield for poor hygiene. Stale contacts, unclear authority, unmanaged leases, absent abuse response, confusing route records and abandoned reverse DNS are not private matters. They raise costs for the wider Internet. The RIPE NCC can properly require evidence for changes and can publish data that makes neglect visible. It should not confiscate for virtue. It should make reliable stewardship easier to prove and unreliable stewardship harder to hide.

The ethics of turning public-good space into private capital

The ethical question is not whether a university may ever sell. A categorical ban would be impractical and morally blunt. Some campuses may hold ranges that no longer serve teaching, research or continuity. Some may need funds for network modernization, cybersecurity, student access, open science, IPv6 transition or research computing. A sale that converts a genuinely surplus resource into durable mission infrastructure can be more ethical than leaving it idle. Stewardship can include release.

The harder question is how to prevent public-good history from becoming private extraction. Many universities benefit from public funding, tax advantages, charitable status, research grants, subsidized students, public trust and alumni gifts. Legacy IPv4 space held by such an institution is not just an entry in an asset list. It is a trace of the era when academic networks were part of the shared construction of the Internet. If the space is monetized, the proceeds should visibly strengthen the mission rather than disappear into general budget relief or vanity capital projects.

Public universities face the sharpest scrutiny. Their address space may have been used by institutions supported by taxpayers, public grants and national research systems. Selling a range to fund a short-term deficit can look like converting a public-good input into a budget patch. That may still be defensible in a crisis, but only if the campus shows that the resource is truly surplus, that mission risks have been reviewed, that proceeds support public-interest digital infrastructure or education, and that the sale does not merely postpone a structural funding problem.

Private nonprofit universities face a subtler version of the same test. Their boards may have more discretion, but their public trust is real. Tax exemption, donor support, student reliance, accreditation and grant funding all create duties beyond price maximization. A private university that sells a legacy range to fund cyber resilience, research computing, open repositories or student connectivity can tell a coherent stewardship story. One that treats the sale as found money for prestige spending may struggle to justify the conversion of public-good-era capacity into private institutional advantage.

Leasing raises even sharper ethical concerns because it can turn an academic inheritance into a revenue stream while retaining public association. If a lessee uses the space for opaque hosting, spam-prone services, sanctions-sensitive activity, aggressive scraping, weak customer controls or jurisdictional arbitrage, the university may become the respectable face attached to traffic it does not control. The ethical issue is not only reputational. It is whether the university has allowed a resource grounded in research trust to be used in ways that undermine that trust.

The safest ethical rule is earmarking plus transparency. If a campus monetizes legacy space, it should disclose the mission rationale internally and, where public accountability warrants it, externally. Proceeds should support network modernization, security, IPv6 deployment, research infrastructure, library preservation, open science, student connectivity or other digital mission needs. A board should record why retaining the space was not necessary, how dependencies were retired, and what safeguards applied. The point is not to perform virtue. It is to keep institutional legitimacy attached to a resource whose origin was never purely commercial.

A campus address council would reduce the risk of panic decisions

Universities need a governance body that treats address space as mission infrastructure with market value. It should not be a large ceremonial committee that meets once and produces a policy nobody uses. It should be a small campus address council with authority to classify ranges, maintain evidence, approve dependency reviews, recommend sale or lease decisions, and coordinate with the NREN and the RIPE NCC contact path where appropriate.

The council should include network engineering, information security, research computing, libraries, medical or health-science representation where relevant, legal, finance, procurement, technology transfer, data protection, risk management and at least one senior academic representative. Not every meeting needs every specialist. But the standing membership should make clear that legacy space is not solely a network team's burden or a finance team's opportunity. It is a shared institutional resource.

The council's first deliverable should be a living address register. Each range should have a current authority record, intended use, actual use, route status, origin ASN, ROA status, reverse DNS status, contact path, abuse path, affiliate use, NREN dependency, research dependency, student-service dependency, medical or library dependency, sale readiness, lease restrictions and review date. Dormant space should be tagged, not ignored. Third-party use should be documented, time-limited and reviewable. Ranges with unclear authority should be quarantined from monetization until the evidence is repaired.

The second deliverable should be a public-interest charter. It need not be long. It should state that legacy address decisions must protect research continuity, student services, security, legal authority, registry accuracy and the university's public or charitable mission. It should require mission review before transfer or lease, earmarking rules for proceeds, and heightened scrutiny for arrangements that put the university's name behind external traffic. It should also state that retaining space without review is not stewardship.

The third deliverable should be a transfer-readiness file. For any range that may be sold, the university should prepare legal proof, registry data, route history, reputation review, dependency sign-off, NREN notice, reverse DNS plan, ROA plan, communications plan and board approval language. Transfer readiness does not mean transfer intent. It means the university knows what it owns, how it is used and what would be required to change control.

Leasing safeguards must be stricter for academic holders

If a university chooses to lease legacy space, it should apply stricter safeguards than a purely commercial holder might. The reason is not that universities are morally superior. It is that their reputation and history create a trust surface. Traffic associated with a university-held range can be interpreted by outsiders through the lens of academic legitimacy. That interpretive advantage should not be sold casually.

A lease policy should begin with use restrictions. The university should prohibit high-abuse or reputation-sensitive uses unless it has exceptional controls and a clear mission reason. It should require lessee identity, customer controls, routing transparency, abuse response, sanctions and export-control review where relevant, jurisdictional disclosure, incident cooperation, and the right to terminate for conduct that threatens the university's reputation or security. Subleasing should be barred or tightly controlled. The holder should know who is actually using the space.

Routing safeguards matter. The university should approve origin ASNs, maintain correct ROAs, ensure route records are updated and reviewed, and define how announcements will be withdrawn at the end of the lease. It should monitor route visibility, reputation feeds, abuse reports and reverse DNS. It should avoid arrangements where a third party can alter routing or delegation in ways the university cannot see quickly. Contract language without operational visibility is weak protection.

Lease duration should reflect recovery risk. A long lease may look attractive because it creates stable revenue, but it also turns temporary external use into a quasi-permanent dependency. The lessee may build customers, products or routes around the range. Exiting then becomes politically and operationally harder. A university that believes it may need the space for future mission use should not grant lease terms that make recovery expensive or reputationally messy.

Proceeds from leasing should be treated like proceeds from sale: mission-linked, reviewed and transparent to the appropriate governance body. If recurring lease revenue flows quietly into general operations, it can create dependence on continuing external use even when the risk profile worsens. That is a capital-control problem inside the university: the budget becomes attached to a resource it may not fully control. The council should therefore review leases periodically and be willing to terminate revenue if the mission risk changes.

The simplest rule may be the best: if a university cannot monitor the space as if its name matters, it should not lease it. Leasing without monitoring is not stewardship. It is reputation arbitrage.

IPv6 transition does not remove the stewardship duty

It is tempting to say that universities should solve the whole problem by moving to IPv6 and releasing IPv4. The direction is right; the conclusion is too quick. Universities should accelerate IPv6 deployment because dual-stack competence, IPv6-only service readiness and reduced dependence on scarce IPv4 are part of long-term public-interest networking. But IPv6 transition does not instantly dissolve legacy IPv4 duties. It changes their shape.

Many campus services remain tied to IPv4 because of vendors, external partners, library platforms, research collaborations, access controls, embedded equipment, measurement systems and user environments that are not yet uniformly IPv6-ready. Medical and scientific equipment may lag. External collaborators may be behind networks with uneven IPv6 quality. Some security tooling and compliance documentation may still assume IPv4 ranges. A campus can and should push these dependencies down over time, but pretending they have disappeared can create failure.

IPv6 transition also requires money and planning. If a university sells part of its IPv4 space and earmarks proceeds for IPv6 deployment, monitoring, training, dual-stack cleanup, application remediation and research-network modernization, that can be a credible mission use. But a sale that removes IPv4 reserves without funding the transition simply shifts risk forward. The campus may become more dependent on providers or leases while claiming to have modernized.

The RIPE NCC's role remains the same. It can provide registry services, data, training and coordination within its remit. It should not force a university into an IPv6 transition timetable by threatening legacy holdings. Nor should a university use incomplete IPv6 deployment as an indefinite excuse for poor IPv4 stewardship. The public-interest path is measurable transition: services inventoried, dependencies reduced, partners engaged, IPv6 capability tested, and retained IPv4 justified by explicit continuity needs.

IPv6 also changes the fairness debate. The strongest fairness claim is not that every university prefix must be redistributed. It is that institutions with public missions should not use legacy IPv4 wealth to delay architecture modernization while others absorb scarcity costs. A university that holds large IPv4 reserves and does little to improve IPv6 readiness is conserving power, not serving the future. A university that uses legacy value to accelerate transition can align history with present responsibility.

The RIPE NCC region needs evidence standards, not a moral sorting machine

The diversity of the RIPE NCC region makes moral sorting especially risky. A university in one country may be a state body. Another may be a foundation. A third may be a private nonprofit. A technical institute may be tied to national infrastructure. A medical university may be linked to hospitals. A research centre may operate under treaty-like arrangements or government contracts. Public funding, autonomy and legal authority vary. A single regional rule about what universities deserve would almost certainly misread local institutions.

Evidence standards travel better than moral categories. The registry can require clear authorization, legal identity, continuity documentation and accurate records. Campuses can document mission use, dependencies, affiliate arrangements and governance approvals. NRENs can record routing and service implications. Buyers can conduct due diligence. Policy communities can debate transfer rules, database accuracy and service eligibility. None of these requires the RIPE NCC to rank universities by virtue or wealth.

This is why the ledger-vs-gatekeeper distinction is not academic wordplay. If the registry becomes a gatekeeper for the social worth of campus use, it must gather information it cannot reliably judge: educational mission, research value, budget pressure, public funding history, political legitimacy and future campus strategy. If it remains a ledger with disciplined evidence standards, it can support all parties without becoming the owner of their choices. The ledger still has power, but the power is procedural and evidentiary rather than discretionary and redistributive.

Capital-control risks arise when scarcity tempts institutions to control flows rather than evidence. A registry that can decide whether a university's use is worthy can also decide whether a company's use, a nonprofit's use, a government agency's use or a small network's use is worthy. That path invites lobbying and politicization. It may begin with sympathy for new entrants and end with a registry pressured by every group claiming superior social value. The Internet number system does not become more legitimate when every transfer becomes a political hearing.

The better regional norm is predictable proof. If a university wants to update, certify, transfer, lease-related records or repair legacy data, it should know what evidence is needed. If it cannot provide evidence, the record should not be casually changed. If it can provide evidence, the registry should not impose an extra moral test. Public accountability then shifts to the university's own governance, where mission, funding and research continuity can be assessed by people with authority over the institution.

Research continuity should be tested before address decisions become final

Universities routinely conduct business-continuity and disaster-recovery exercises. Legacy IPv4 decisions deserve similar testing. A campus considering sale, lease, deaggregation, routing change or consolidation should run a research-continuity drill. The exercise should ask what would break if a candidate range moved, what external systems depend on it, who would notice, how quickly services could be renumbered, which grants or collaborations would be affected, and which third parties would need advance notice.

The drill should include more than central IT. Research computing, libraries, medical schools, high-performance computing teams, data-protection officers, cybersecurity staff, grant administration, procurement, technology transfer and NREN contacts should be involved where relevant. The aim is not to create a perfect dependency map. It is to reveal the categories of risk that a purely technical scan misses. A quiet prefix can carry a social network of obligations.

Testing should also include reputation. If a range has been dark or externally used, the university should review blocklists, mail reputation, historical abuse reports, route history, hijack claims, abandoned domains and reverse DNS. A range intended for sale may carry reputation damage that reduces price or imposes cleanup duties. A range intended for renewed campus use may create service problems if reputation is not repaired. Reputation is part of the asset, even when accounting systems do not recognise it.

Continuity drills should produce decisions, not just lists. Some ranges should be retained. Some should be renumbered internally before any sale. Some should be placed under no-lease rules. Some should be prepared for transfer after dependency retirement. Some should be cleaned and left as strategic reserve. Some should be routed differently. Some should be removed from external affiliate use. The point is to move from mythology to classification.

This kind of review also protects boards. Trustees and governing councils are poorly placed to judge address-space detail, but they can ask whether the institution has done a serious review. A decision memo that says "unused according to central scan" is weak. A memo that summarises dependency testing, NREN consultation, legal authority, registry evidence, reputation review, IPv6 transition, mission use of proceeds and residual risk is much stronger. Good process does not eliminate disagreement, but it makes disagreement intelligible.

A practical model for campus stewardship

A serious university policy can be short if it is operationally specific. First, classify all legacy IPv4 space into active mission use, strategic reserve, dependency under review, affiliate use, candidate for internal recovery, candidate for external transfer, and unsuitable for external use pending repair. Second, assign each range an owner inside the institution and a review date. Third, maintain current registry, contact, abuse, RDNS, route and RPKI data. Fourth, require council approval for any lease, transfer, deaggregation or third-party routing arrangement.

Fifth, require a mission memo before monetization. The memo should explain why the range is surplus to foreseeable research, education, student-service, library, medical and continuity needs; how dependencies were tested; how NREN effects were reviewed; how proceeds will be used; and what risks remain. Sixth, restrict leasing to transparent, monitored, low-risk uses with clear termination rights. Seventh, require annual reporting to senior governance on address stewardship, not only when a sale is proposed.

Eighth, use IPv4 value to fund modernization rather than postpone it. If sale or lease revenue exists, priority should go to IPv6 transition, network security, research computing, library infrastructure, open science, student connectivity, data stewardship and continuity improvements. Ninth, document affiliate and spinout use. No external or semi-external party should rely on university numbering indefinitely without a written agreement, security requirements, routing rules and an exit path.

This model does not require universities to become address-market specialists. It requires them to treat address space with the seriousness they already apply to land, grants, laboratories, data, donor restrictions and cyber risk. The numbers are not mystical. They are scarce, operationally meaningful, historically loaded and marketable. That combination deserves governance.

Watchpoints for the RIPE NCC region

Several signals will show whether university legacy stewardship is improving or deteriorating. The first is contact freshness. If university records continue to point to dead mailboxes, old departments and unclear maintainers, the sector is failing the simplest test. The second is route and ROA alignment. If universities announce valuable ranges through unexpected ASNs without clear records, or if ROAs are missing or wrong for active space, stewardship remains weak. The third is RDNS quality. Abandoned reverse entries are a warning that the campus does not fully know its estate.

The fourth signal is leasing opacity. Academic-held space appearing in high-abuse or poorly explained hosting contexts should attract institutional scrutiny. The problem is not leasing as such. It is leasing that uses academic legitimacy as a cover for traffic whose risk the university does not monitor. The fifth signal is sale proceeds. Where universities monetize ranges, the mission use of proceeds will reveal whether the public-good bargain is being honoured. Funding cyber resilience, IPv6, research computing and student access tells one story. Filling an unexplained budget hole tells another.

The sixth signal is whether policy debate respects the ledger boundary. Calls for mass reclamation of university space may be politically satisfying, but they are institutionally risky. So are claims that legacy holders owe no explanation because the allocations are old. The mature position is narrower and stronger: keep the ledger accurate, lower evidence costs, make stewardship visible, and let campus governance carry the moral burden of mission decisions.

The bargain universities now have to renew

University legacy IPv4 space sits at the end of one era and the beginning of another. It comes from a time when academic networks helped make the Internet useful and public addressing was a tool of reachability, experimentation and institutional autonomy. It now exists in a time when IPv4 scarcity creates market value, legal caution, leasing pressure and fairness debates. Both histories are true. The policy challenge is to keep them from cancelling each other out.

The RIPE NCC should not become a forced redistribution authority for campus space. That would weaken ledger trust and pull the registry into judgments it cannot fairly make. Nor should universities treat old allocations as private treasure immune from review. That would convert public-good history into quiet capital control. The defensible middle is disciplined stewardship: accurate records, clean authority, transparent dependencies, cautious monetization, mission-linked proceeds, leasing safeguards and credible transition planning.

This middle path will disappoint those who want a simple answer. It does not say that old universities must give the space back. It does not say that they can keep or lease anything they happen to hold. It says that legitimacy is produced by evidence and governance. The registry must make the public ledger reliable. The campus must make its mission decision intelligible. Buyers and brokers must respect the cost of public-interest review. NRENs must surface dependency without turning into veto players. Policy communities must resist the lure of capital-control shortcuts.

The ethics are sharpest because the money is real. A prefix that once helped connect a laboratory can now fund a building, a security programme, a cloud migration, an IPv6 project, or a budget gap. The conversion is not automatically wrong. But it should never be casual. If a university turns public-good-era address space into cash, it should be able to say what mission value replaced the network value it gave up. If it retains the space, it should be able to say what mission value justifies the opportunity cost. If it leases the space, it should be able to say why the use is monitored, bounded and consistent with academic trust.

That is the renewed bargain. Scarcity makes the old addresses valuable. Stewardship makes their value legitimate. The RIPE NCC can preserve the ledger on which that legitimacy depends, but it cannot supply the university's conscience. The university can decide how its legacy space serves research, students and society, but it cannot make that decision credible without evidence. In the post-abundance Internet, academic autonomy survives not by hiding its inheritance, and not by surrendering it to the loudest scarcity claim, but by governing it well enough that history, market value and public purpose can be seen together.