Summary
- IPv4 leasing separates at least three roles: the registered holder, the contractual user and the network that actually operates or announces the addresses. A public holder record can remain accurate about registration while being incomplete about current use.
- Existing number-resource systems already recognise layered delegation. ARIN records reassignments and reallocations, APNIC requires members to register specified downstream assignments, and RIPE policy distinguishes allocations from assignments. These models show that operational use below the direct holder is normal, even though they do not map neatly onto every commercial lease.
- BGP, reverse DNS, geolocation and observed services are clues, not contracts. An origin ASN can be a lessee, its transit provider, a managed host or a mitigation service. Failure to match the registered holder does not by itself establish an unauthorised lease or unlawful use.
- A voluntary operational-use notice should carry only what coordination needs: prefix or safely aggregated range, registered holder reference, operational role, effective period, reachable network-operations and abuse channels, expected origin context, authority attestation and status. It should omit price, rent, customer lists, business plans and private covenants.
- The notice must be evidentiary rather than constitutive. Filing it does not transfer the resource, validate the contract or make the registry an enforcement body. Not filing it creates no presumption of illegality. A disputed notice can be marked, corrected or withdrawn without letting either party rewrite the underlying registration.
- Minimal visibility works only with privacy, expiry and role separation. Public users may need a contact relay and high-level operational status; authenticated responders can receive more detail; contract evidence remains with the parties unless lawfully required. The registry keeps the address book useful without becoming contract police.
One prefix can have several truthful answers to “who uses it?”
Ask who uses an IPv4 block and the answer depends on the purpose of the question.
The registered holder may be the organisation named in the Regional Internet Registry record. It may have obtained the block years ago, maintained the account, paid service fees and retained authority over the registration. Under a private contract, it may allow another company to use some or all of the addresses for a fixed term.
The contractual user may be a cloud provider, hosting company, Internet service provider, security operator or enterprise. It pays for availability and carries obligations under the lease. It may not announce the addresses itself. A transit provider, network partner, distributed denial-of-service mitigation service or managed infrastructure company may originate the route on its behalf.
The operational contact may be another party again. A 24-hour network-operations centre can sit in a group company or outsourced provider. Abuse complaints may go to a specialist desk. Reverse DNS may be maintained by the lessee, lessor or a managed service. Geolocation feeds may identify the customers' service area rather than any party's legal home.
None of these facts necessarily makes the registered holder record false. The record can accurately say who holds the direct registration while failing to answer who can fix a route leak tonight. Conversely, a record naming the current operator can help incident response while saying nothing reliable about title, contractual rights or the duration of use.
The mistake is to demand that one field answer all questions. A registry built to preserve unique delegation is asked to double as a property register, contract repository, routing map, abuse directory and customer ledger. When it cannot, observers call the difference a shadow.
The more useful approach is to separate roles. Preserve the direct registration. Let parties add a narrow operational-use notice when it improves coordination. State what the notice proves and, equally important, what it does not.
Private use is not an anomaly created by leasing
The Internet numbers system has long contained hierarchy. A Regional Internet Registry delegates address space to a Local Internet Registry or another direct recipient. That organisation can assign or reallocate portions to customers under applicable regional rules. The customer may operate the addresses, while the direct recipient remains responsible for the parent allocation.
ARIN describes simple reassignments, detailed reassignments and reallocations. A simple reassignment can show that part of a direct registrant's space is used by another party even though the recipient has no management capability over the record. A detailed reassignment gives the downstream organisation more control over contacts and some services, while the direct registrant retains the ability to reclaim the space. A reallocation permits further downstream delegation.
APNIC tells members that they are responsible for registering sub-allocations and assignments delegated to their infrastructure or customers. RIPE policy likewise distinguishes an allocation made to an Internet registry for later assignment from an assignment made for use by an End User.
These arrangements are not identical to an asset-style lease negotiated in the secondary market. Some arise from connectivity service, hosting or ordinary customer assignment. Some policies limit further delegation. The legal and commercial relationship can differ substantially.
Still, the existing hierarchy establishes an important fact: direct registration and operational use have never been required to collapse into one organisation in every case. Registries already maintain parent-child records, downstream contacts and different levels of control. The design question is therefore not whether separated use can exist. It is how to describe a form of separated use that may fall outside familiar service-provider categories without falsely treating the description as a transfer.
Leasing makes the issue economically visible because the use right can be priced separately from connectivity. The registry sees a holder. The route collector sees an origin. The contract sees a lessor and lessee. Each sees part of the arrangement.
Governance should reconcile those views only as far as coordination requires.
A missing public record is not proof of an illegal bargain
Inference expands quickly when data are scarce. A researcher sees that the registered holder differs from the apparent route origin. A reputation service sees customer traffic from a block whose public contact points elsewhere. A registry sees utilisation or geography that does not resemble an old application. The term “lease” becomes accusation rather than description.
The evidence rarely supports that leap.
The route origin may be the holder's transit provider. The block may be announced through anycast, a mitigation service or a network partner. A corporate group may use different legal entities for assets and operations. A merger may have changed names without changing control. A customer reassignment may be valid but published under a parent or privacy convention. The public record may simply be stale.
Even where a private lease exists, invisibility does not establish illegality. The relevant contract may be valid under the parties' law. The direct holder may retain responsibility under its registry agreement. The arrangement may not trigger a current public-registration threshold, or the parties may use a permitted downstream record that does not identify the commercial character of use.
The reverse inference is unsafe too. A downstream record does not prove that a lease is authorised, fully performed or still in force. A lessee can remain listed after expiry. A holder can create a customer record without giving the named party the rights it assumes. A route can continue after the commercial term ends.
Evidence must therefore be described at the level it supports. Registration shows the registry's current recognised relationship. A downstream notice shows a reported operational association. BGP shows observed route propagation and origin attributes. A contract shows agreed rights between its parties. A court order can alter those rights. None should be silently substituted for another.
This evidential discipline is not indulgence toward bad actors. It is the basis for accurate enforcement by the institutions that actually possess authority. Registries damage both legitimacy and data quality when they treat ambiguity as guilt and demand commercial disclosure merely to resolve a contact problem.
BGP can reveal operation but not the bargain
BGP is attractive evidence because it is observable at scale. Researchers can associate a prefix with an origin ASN, follow changes over time and compare announcements with registry records. If an address block registered to one company is repeatedly originated by another, operational separation is likely.
Likely is not complete.
BGP communicates reachability information between autonomous systems. It does not carry the lease, price, authority chain, beneficial owner, customer identity or reason the origin changed. The origin can be a lessee, but it can also be an upstream network authorised to originate on the holder's behalf. Managed hosting, anycast, route servers and security services complicate the picture further.
Origin visibility also varies. Route collectors observe selected peers rather than every network's private view. A more-specific route may reveal a downstream operator while the aggregate remains with the holder or another service. A route can be present before a lease begins for testing, remain during a migration, or persist incorrectly after authority ends.
The practical implication is that BGP should inform an operational-use notice, not replace it. The parties can state expected origin ASNs or an origin-management category. Monitoring can then flag a mismatch for contact and correction. The mismatch is an operational signal, not automatic proof of breach.
This distinction matters for incentives. If publishing an expected origin lets the registry judge the contract or penalise every transient difference, parties will stay silent. If the field helps networks reach the right operator and lets the parties correct stale information, it has value.
The notice should accommodate managed origin. A lessee can identify that routes may be originated by an authorised provider without naming every temporary path. Large services can list a controlled set of origin ASNs or a secured reference maintained through an authenticated channel. The public need is to understand who can respond, not to receive the customer's complete network design.
Observed routing is strongest when used to test contact accuracy and weakest when used as a substitute for private law.
The public holder record should remain intact
Minimal operational visibility begins by refusing a tempting shortcut: do not overwrite the registered holder with the lessee.
A lease ordinarily grants use for a term. It does not necessarily transfer the holder's registration rights. If the lessee replaces the holder in the main record, the public entry implies a change more extensive than the parties intended. It can confuse transfer history, service fees, renewal responsibility, legal notices and the authority to dispose of the resource.
The opposite shortcut is equally weak: keep only the holder and assume every operational question can be forwarded. The holder may not run the network, see the traffic or maintain 24-hour response. Forwarding introduces delay and can expose the lessor to complaints it cannot investigate.
The correct model has two linked layers. The direct registration states the holder recognised by the registration service. A subordinate operational-use notice states that another party has a defined role for a defined range and period. The link is explicit, but the subordinate notice cannot modify the parent holder.
The notice should use language that avoids property conclusions. “Operational user,” “network operator,” “service contact” and “authorised origin context” are functional terms. “Owner” is inappropriate unless a separate legal record supports it. “Assignee” can be confused with regional assignment categories and should be used only where the local policy actually applies.
When the lease ends, the operational notice expires or is replaced. The parent registration continues. When the resource is sold, the transfer changes the parent record and any active operational notice is either adopted by the buyer through explicit confirmation or ends. A buyer must not inherit a private lease by accidental persistence in a public directory.
Keeping the layers separate protects everyone. The lessor does not surrender its recognised position merely by improving operational contact. The lessee is visible for the function it performs. Responders reach the right desk. The registry does not convert a disclosure service into a title decision.
The minimal notice has a short list of fields
Data minimisation is not achieved by asking for everything and hiding some of it later. The collection itself should be narrow.
The first field is the covered resource. It can identify the exact prefix where precision is operationally necessary. For large portfolios or sensitive customer structures, the public view may aggregate adjacent ranges while authorised responders can resolve the more specific notice.
The second is the direct holder reference. This links the notice to the current registration without repeating private holder data.
The third is role. The filing party selects one or more defined functions: operational user, origin manager, network-operations contact, abuse responder, reverse-DNS operator or managed service. Roles prevent a generic “contact” from being mistaken for the holder.
The fourth is time. The notice carries an effective date and an expiry or review date. Open-ended use can use a periodic confirmation interval rather than an invented end. Time turns a directory entry into a current statement instead of an archaeological trace.
The fifth is contact. Public output should favour durable role addresses, contact relays or secure forms over personal names. A network-operations path and abuse path may be the same organisation but remain separately labelled.
The sixth is origin context. The notice can list expected origin ASNs, an authorised managed-origin provider or a statement that origin varies within a controlled service. This field assists routing response but does not authorise a route by itself.
The seventh is authority attestation. The direct holder confirms that the notice may be published, and the operational party confirms that it accepts the role and contact obligations. The attestation identifies the signers without publishing their credentials.
The eighth is status: proposed, active, ending, expired, withdrawn or disputed. Status changes are time-stamped and attributable.
That is enough. The notice does not need rent, deposit, purchase option, customer revenue, service architecture, beneficial-owner analysis, tax treatment, governing law, detailed purpose or a copy of the agreement. If a court or regulator lawfully requires those materials, it can request them from the parties under applicable process. The public registry does not need them to direct a routing incident.
Optional must mean optional
An “optional” filing can become compulsory through inference. If registries, transit providers or researchers begin treating absence as evidence of unauthorised leasing, rational parties will feel forced to disclose. The system will have created a mandate without admitting it.
The rule must therefore state that absence is neutral. A resource with no operational-use notice remains governed by its direct registration and any existing downstream records. The absence does not prove that the holder operates the addresses, that no customer uses them or that any private arrangement violates policy.
Optionality can still produce useful participation if the notice has practical benefits. A lessee gains a recognised contact surface and can reduce misdirected abuse reports. A lessor reduces operational noise and demonstrates that a named responder accepted responsibility. Transit providers and incident teams receive a current path. Researchers can distinguish reported delegated use from unexplained origin changes.
Services can build incentives without penalties. Faster correction of geolocation or contact errors, verified role badges, authenticated access for incident coordination and exportable history can make filing worthwhile. Insurers or commercial counterparties may request it by contract. Those are choices by parties that bear the risk, not a universal presumption imposed by the registry.
Certain legal regimes may require disclosure for particular operators or uses. That requirement should identify its legal source and scope. It should not be laundered into a global registry condition applying to everyone.
Optional also means removable. The parties can end a notice when the relationship ends, subject to preserving historical timestamps for audit. They do not need registry permission to terminate the public association. A dispute over termination is marked without forcing the registry to decide the contract.
Participation rates should be reported honestly. The notices describe the population that chose to file, not the entire lease market. Analysts must not calculate a global leasing total from voluntary records or compare regions without accounting for different incentives.
A useful voluntary directory earns trust by limiting claims. It says, “this operational role was attested for this period.” It does not say, “all invisible use is suspect.”
Role-based RDAP can expose function without exposing a person
RDAP already supplies a vocabulary for separating contacts. RFC 9083 defines entity roles including registrant, technical, administrative, abuse, registrar, proxy, notifications and network operations centre. That vocabulary can support a minimal-use notice without inventing one undifferentiated identity field.
Role separation improves response. A route leak belongs with the technical or NOC role. Harmful traffic belongs with the abuse role. A question about the direct registration belongs with the registrant or registrar role. Billing is irrelevant to most public users and need not be exposed.
The privacy design should prefer organisational channels. A contact URI can lead to an authenticated form that routes the report internally. A role email can be published without naming an employee. Telephone details can remain visible only to authenticated incident responders where the risk justifies them.
RFC 9537 adds explicit mechanisms for signalling redacted RDAP fields. It shows that a response can indicate removal, partial presentation or replacement without filling public output with unreliable placeholder values. The standard was developed mainly in the registration-data context, not specifically for IPv4 leases, but its design principle applies: privacy handling should be machine-readable and honest about what is not shown.
The public notice might therefore show the operational organisation or a verified relay, role, active period and high-level origin context. An authenticated network operator could receive an escalation contact and more-specific range. The registry or another trusted custodian could retain signer evidence. The contract remains with the parties.
Access tiers must be simple enough to audit. A registry should not create a privileged data market in which vague “trusted” status reveals complete lease portfolios. Access should be tied to a stated incident purpose, logged and revocable. Aggregate research should use protected data with disclosure controls.
Role-based access solves a common false choice. The public does not need either total opacity or the lessee's full corporate file. It needs the minimum function and a reliable way to reach it.
Suballocation visibility should describe a tree, not judge a deal
Leased space can be used directly by one lessee or divided among downstream services under authority granted by the holder. The second case creates a tree. The direct registration is the root, the lessee's operational range is a child, and customer or service ranges may be more-specific descendants.
A visibility system must prevent the child from claiming more than the parent allowed. The holder sets the maximum range and whether the operational party may create further notices. Each descendant references the immediate parent. More-specific entries cannot extend outside the parent or outlive it.
This resembles existing reallocation and sub-allocation structures, but the notice should not pretend every lease fits a regional policy category. It records delegated operational authority as attested by the parent. If the local registry rules recognise the delegation formally, the notice can link that status. If not, the notice remains a coordination statement.
The tree can be private at lower levels. A public view might show that an operational user manages a /20 and provides customer service without listing every customer /24. Incident responders querying a specific address can receive the most specific reachable contact through a relay. This preserves utility without publishing the lessee's customer book.
Expiry cascades carefully. When the parent notice ends, descendants become ending rather than instantly vanishing. Contacts remain reachable during a short transition, and the system warns the descendant operators. The direct holder can then confirm a new parent, adopt selected notices or let them expire. This avoids a directory blackout while respecting the limit of delegated authority.
Disputes remain scoped. If one customer notice is challenged, the entire operational range is not frozen. If the lessee's parent authority is contested, descendants carry a caution but remain contactable while the parties resolve rights.
The registry's task is mechanical: enforce range containment, authority references, time bounds and contact validity. It does not read the master lease to decide whether a revenue-share clause permits one more customer. Contract interpretation belongs to the parties, their chosen forum and applicable law.
The notice must not become a disguised transfer
Commercial actors will avoid visibility if filing changes their legal or registry position. The notice must therefore carry explicit non-effects.
It does not transfer the direct registration. It does not give the operational party a right to sell, port, renew or encumber the resource. It does not prevent the holder from exercising rights under the contract. It does not make the registry a party to the lease. It does not certify that the agreement is valid under every applicable law.
It also does not prove beneficial ownership, accounting control or tax treatment. Those conclusions depend on facts and legal standards far beyond a directory entry. Auditors and lenders may consider the notice as evidence of operational possession for a period, but they must examine the agreement and other records.
Nor should the notice create a public-law licence. An operator remains subject to telecommunications, cybersecurity, sanctions, consumer, privacy and criminal law where applicable. The registry does not approve those obligations by accepting a contact record.
These disclaimers are not empty legal caution. They protect the quality of the data. If a lessee fears that disclosure will be treated as ownership, it may refuse to file. If a lessor fears that acknowledging use surrenders control, it will keep the arrangement invisible. A narrow statement encourages truthful participation.
The registry should resist attempts to attach unrelated conditions. It cannot demand proof of need, business purpose, price fairness or geographic benefit merely because the parties volunteered an operational notice. It cannot require a transfer because the use has lasted a long time. Duration is relevant to contact accuracy, not automatic evidence that the bargain changed legal character.
Where a current regional rule expressly classifies the arrangement, the registry can inform the parties of that rule. It should still distinguish record acceptance from enforcement. A dispute about compliance receives its own notice and legal route; the operational contact should not be deleted when responders need it most.
Visibility succeeds when it tells the truth about function without manufacturing a new right or taking an existing one away.
Registries should not ask to see the lease
The full contract is seductive to an administrator. It appears to answer every uncertainty: who may use the space, for how long, on what terms and with what remedies. In practice, collecting it creates more problems than it solves.
Leases contain prices, deposits, customer commitments, warranties, indemnities, security requirements, corporate structures, governing law and termination rights. Some cover other services. Amendments may change one term without restating the agreement. Side letters and notices can matter. A registry employee reading the document may still lack the legal context to decide what it means.
Collection creates security and confidentiality risk. A central store of commercial agreements becomes attractive to competitors, litigants and attackers. Access controls fail. Retention obligations expand. Parties begin drafting for the registry audience rather than their commercial needs.
Most importantly, possession invites adjudication. Once the registry has the lease, pressure grows to decide whether the lessee breached acceptable use, whether the lessor terminated correctly, whether a sublease was permitted or whether the rent implies a sale. The address book becomes contract police.
The minimum notice avoids this by using attestations. The holder states that the operational party is authorised for the listed role and period. The operational party accepts the contact obligations. Each keeps the supporting contract and agrees to produce relevant evidence to a court, regulator or agreed dispute forum when lawfully required.
For high-risk changes, a neutral verifier can confirm that a contractual authority clause exists without giving the registry the entire agreement. The verifier reports only the tested fact, its date and the parties. Even this should be optional unless a specific legal requirement applies.
Fraud is handled through signature and challenge rules, not routine contract surveillance. A holder can dispute a notice it did not authorise. A lessee can dispute a false association. The system preserves the competing statements and suspends only the contested role, not the parent registration.
A registry does not become more accurate by collecting facts it cannot competently interpret. Accuracy begins with asking only the question it needs answered.
Abuse response benefits from visibility but does not define legality
One of the strongest arguments for operational visibility is practical: complaints often reach the wrong party. A registered holder may receive reports about traffic generated by a lessee's customer. Forwarding costs time, and the complainant may assume silence means indifference.
A current abuse role can shorten that path. The notice can identify a verified mailbox, form or response service for the active range. It can state service hours and an escalation route. The holder remains available for unresolved notices but is not the first-line investigator for traffic it does not operate.
This benefit must not turn abuse allegations into a lease-validity test. The existence of complaints does not prove the commercial arrangement is unlawful. The absence of complaints does not validate it. The registry should measure whether contacts are reachable and whether reports receive acknowledgement, not judge disputed content or impose punishment through the registration.
There is also a risk of strategic reporting. Competitors or disgruntled users can flood the operational contact, then cite volume as evidence that the lease should end. Rate controls, authenticated escalation and transparent complaint categories can protect the directory from being weaponised.
The public notice should not expose personal investigators. Organisational channels and ticket references are sufficient. Sensitive complainant data stays with the responsible operator and lawful authorities.
When the operational party becomes unresponsive, the holder can replace the contact, mark the notice ending or escalate under its contract. The registry can flag the contact as unreachable. It should not infer termination or reassign the resource.
Detailed responsibility for an abuse complaint, lease-end routing and post-use reputation deserves separate treatment because each has its own evidence and timing. The narrower point here is that contact accuracy provides value independent of policing. A directory can help a report reach the party able to act without deciding guilt, damages or the validity of the lease.
That is thin administration at its most useful: connect the problem to the responsible function, preserve the record and let competent authorities handle enforcement.
Privacy is part of accuracy
Public-data debates often treat privacy as the enemy of transparency. In operational registration, excessive exposure can make records less accurate.
A small lessee may hesitate to publish staff names, direct phone numbers, exact customer ranges and a lease expiry that reveals bargaining position. A large provider may face scraping, targeted attacks and commercial mapping. If disclosure is all or nothing, parties choose nothing or submit stale generic contacts.
Data minimisation creates a more sustainable bargain. Publish a role, verified relay, active period and enough range information to route an inquiry. Keep signer identity, direct escalation details and precise customer structure behind authenticated access. Retain only what is necessary for the stated period.
Expiry is a privacy control as well as an accuracy control. When the relationship ends, public contact data should disappear from the active view promptly. A protected historical record can preserve who attested what and when for disputes or audit without leaving former employees exposed indefinitely.
Query design matters. A user investigating one IP address should receive the most relevant active contact, not an export of every lease associated with the holder or lessee. Bulk access requires a separate purpose, safeguards and rate limits. Researchers can receive aggregated or protected data rather than a commercial map.
The system should log access to non-public fields and let the parties review who obtained them under which role. Misuse leads to suspension. Privacy policy should be written as operational controls, not vague promises.
Accuracy also requires a correction channel. A person or organisation wrongly named as operator can challenge the notice and obtain rapid review. The public status becomes disputed while evidence is checked. If the notice was false, it is withdrawn with a visible correction rather than silently deleted.
Privacy and visibility are therefore complements. The directory gets the contact information people are willing and able to maintain. The public gets a reliable path. Sensitive commercial and personal details stay out of an institution that does not need them.
Ending a notice should preserve continuity without deciding termination
Every temporary use arrangement eventually changes. The lease expires, renews, is terminated, expands, contracts or moves to another operating company. The visibility record must handle that transition without becoming the forum that decides whether termination was lawful.
The notice should warn both parties before its stated end. They can renew by joint confirmation, replace it with a new period or let it expire. If the holder alone marks it ending under a contractually asserted right, the lessee can acknowledge, contest or remain silent. The registry records the positions and follows the pre-agreed notice rule; it does not interpret damages or cure provisions.
Operational contact should not vanish at the first contested moment. A short ending state keeps the current NOC and abuse relay reachable while routes and customers move. This is a coordination grace period, not an extension of the lease. Its duration is fixed and cannot be used to preserve operation indefinitely.
Expected origin context can show a transition window in which old and new operators may both appear. Monitoring flags announcements after the end, but the observation is sent to the parties rather than treated as automatic hijack. A persistent route after authority ends may require action by transit providers or courts based on evidence beyond the notice.
If the parties agree that use ended, the public view becomes expired. Historical data record the period and status changes. If they disagree, a dispute marker can remain available to authorised users after the active contact ends. The parent holder record continues throughout.
This limited treatment deliberately avoids the deeper questions of who controls routing-security authorisations, how traffic should be withdrawn at a precise hour and who bears reputation damage after use. Those questions need separate rules and evidence. The notice supplies the common timeline and contact foundation on which those rules can operate.
A directory should make the transition legible. It should not declare the winner of a private termination dispute.
Independent operation is possible without registry endorsement
Some leases will remain outside any optional notice. The parties may judge that existing reassignment records are sufficient, the use is too short, the ranges change too quickly or confidentiality outweighs the benefit. The network can still operate.
Transit providers will evaluate route announcements under their own contracts and security practices. The holder and lessee can manage reverse DNS and routing information through agreed credentials. Abuse contacts can be published on service websites or other directories. Courts and regulators can obtain evidence under law.
The optional system should coexist with these arrangements rather than try to displace them. It is one coordination layer, not the source of legal existence. A network does not become unauthorised because it lacks a badge.
This independence disciplines the visibility service. If its fees, disclosure demands or delays become excessive, parties can decline it. The service must earn adoption by reducing contact friction and uncertainty. It cannot rely on the threat of derecognition.
It also limits institutional risk. If the registry removes a notice by mistake, the direct registration remains. If the notice service is unavailable, the parties retain their contract and routes. If policy changes, existing private rights do not evaporate.
Interoperability is still useful. Notices should be exportable so a holder can move registration services without losing current operational contacts. The format and signatures should be open. Another competent directory can reproduce active statements and history. Portability prevents visibility from becoming another lock-in point.
The distinction between endorsement and publication should appear on every response. The service confirms that named parties attested an operational role and that the notice passed mechanical checks. It does not endorse the operator's conduct, creditworthiness or legal theory.
The registry becomes more useful by making less ambitious claims. It helps the Internet find the party behind current operation, then stops before coordination becomes permission.
A credible pilot should begin with willing portfolios
The first implementation should not attempt to map the whole lease market. It should test whether minimal, voluntary records improve operations without creating new leverage.
A pilot can recruit lessors and lessees with varied portfolios: one direct enterprise lease, one managed hosting arrangement, one ISP with customer ranges and one portfolio using multiple origin providers. Participation is voluntary and the parties review the public fields before activation.
The pilot measures contact success. Did routing and abuse inquiries reach the correct team faster than through the holder record alone? Were notices acknowledged? How often did range or origin context need correction? Did privacy controls prevent unwanted disclosure?
It also measures maintenance. How many notices expired cleanly, renewed on time or became stale? How many parent-child conflicts occurred? Could the same data be exported and validated by another service? Did a disputed notice receive rapid correction without affecting the direct registration?
Commercial effects must be studied cautiously. Entities may be larger or more organised than the wider market. A high success rate does not show that all leases should be visible. It shows whether the notice works for parties that choose it.
The pilot should prohibit several practices from the start: no contract uploads, no price fields, no needs evaluation, no public personal contacts by default, no inference that non-entities are non-compliant and no automatic effect on transfer or registration services.
An independent privacy and operational review can inspect samples, test contact relays, attempt unauthorised aggregation and verify deletion from the active public view after expiry. Findings and corrections should be public without exposing the portfolios.
NRS can support a common format and assurance criteria while leaving publication to multiple services. That approach fits a decentralised model better than one mandatory global list. If operators see value, adoption can expand through contracts and incident-response practice. If a field creates risk without measurable benefit, it can be removed.
The pilot's question is practical: can a small, honest statement about operation reduce harm while leaving the private bargain private?
Measure usefulness, not the amount of disclosure
A visibility programme can easily reward the wrong metric. Counting fields, records or disclosed addresses makes more collection look like success. The proper measure is whether the minimum information improves coordination.
Contact accuracy is first. Sample notices and test whether the NOC and abuse channels work, respond in the stated time and reach a team responsible for the covered range. A generic mailbox that never answers is visible but useless.
Timeliness is second. Measure the lag between operational change and notice activation, correction or expiry. A precise record updated months late can be worse than a broad current one.
Role clarity is third. Ask responders whether they could distinguish the holder, operator, origin manager and abuse desk. Track how often users contacted the wrong role despite the notice.
Privacy performance is fourth. Report unauthorised access attempts, bulk-scraping controls, data exposed beyond the stated purpose, correction requests and the time to remove inactive personal details. Success includes information not collected.
Neutrality is fifth. Audit whether registry staff or other users treated absence as suspicious, demanded agreements, delayed unrelated services or used notices to evaluate business purpose. A voluntary system can fail through institutional behaviour even if its written terms are careful.
Continuity is sixth. During endings and disputes, did the contact path remain available long enough for incidents? Did the parent registration remain intact? Were descendants warned without revealing private customer lists?
Research value is last and bounded. Analysts may learn about reported delegated use, but coverage must always accompany any estimate. The programme should publish participation rates by broad category and refuse claims about the invisible remainder.
These measures keep the project honest. The goal is not to make private markets transparent to administrators. It is to make operational responsibility reachable when the parties decide that visibility helps.
NRS can make visibility portable without making it compulsory
Number Resource Society can contribute where regional differences currently create friction. It can define a common operational-use notice that distinguishes the direct holder, contractual user, operator and contact roles. It can publish open signature and export rules so a notice survives a change of registration service.
NRS can also define non-effects. Every conforming service must state that filing does not transfer the resource, validate the contract or confer enforcement power. Every service must treat absence as neutral. These protections are as important as the fields.
Assurance can focus on mechanics: range containment, parent authority, signer authentication, contact verification, time bounds, privacy controls and correction history. NRS does not need the rent or business plan to test those elements.
For cross-regional operation, the common format prevents the same lease from acquiring incompatible labels merely because the holder and operator sit in different service regions. Each registry can link local assignment categories where applicable without forcing the global notice into one region's legal vocabulary.
NRS can maintain a resolver that directs a query to the relevant notice service rather than centralising every record. Services publish signed responses. Holders and operators choose where to maintain their statements. An outage or institutional dispute at one service does not erase the ability to prove the attestation elsewhere.
Independent governance matters. Lessors, lessees, incident responders, privacy experts, transit operators and researchers should all test changes. Registries can participate as recordkeepers, not as owners of the commercial relationship.
NRS should resist the political attraction of a comprehensive market map. Total visibility would require coercion, expose sensitive business structure and still fail to prove private rights. A modest system can succeed by doing one thing well: make an attested operational role discoverable for the time and range in which it matters.
This is a positive institutional role. NRS reduces ambiguity through common language while protecting the freedom that makes leasing useful. It strengthens the address book without handing the bookkeeper the lease.
The registry can acknowledge reality without ruling it
IPv4 leasing exists because operational demand and registered holdings do not always sit in the same company at the same time. Scarcity makes that separation commercially valuable. Networks that need addresses can obtain use without buying a permanent position. Holders can put idle capacity to work while retaining the underlying registration.
The public record will never reveal the whole market, nor should it. Private agreements contain facts that competitors do not need and registries are not competent to judge. Observed routing can reveal operational clues but cannot supply contractual meaning. Existing assignment systems show that layered use is normal, yet no single regional category captures every lease.
The policy choice is not between blindness and surveillance. There is a middle design.
Keep the direct holder record. Let the parties publish an optional subordinate notice. Limit it to range, role, time, contact, origin context, authority and status. Use role-based RDAP and privacy-preserving relays. Make absence neutral. Let disputes be marked without converting them into punishment. Let expiry end the public association while preserving a protected history. Never require the contract merely to direct an operational complaint.
This design improves evidence by narrowing its claims. A notice can show that the holder and operator attested a relationship for a period. It cannot prove ownership, legality in every jurisdiction, contract performance or present routing authority after expiry. Those questions remain with parties, courts, regulators and networks that possess the relevant evidence and mandate.
The registry's legitimacy grows when it refuses power it does not need. It can maintain unique registration, publish accurate functional contacts and support correction. It does not need to set prices, approve business models, interpret termination clauses or punish invisible arrangements.
The lease the registry cannot see is not automatically a threat. The greater threat is an institution that mistakes incomplete sight for a licence to invent guilt.
Give the Internet a reliable contact, a truthful role and a time boundary.
Leave the bargain with the people who made it.
Sources
- ARIN, Reporting Reassignments — current thresholds, methods and distinctions used when direct recipients report downstream IPv4 reassignments and reallocations.
- ARIN, Managing Resource Records — descriptions of simple reassignments, detailed reassignments, reallocations and the different capabilities retained by direct and downstream organisations.
- ARIN, Registry Data Description — registration-data categories and privacy treatment available for specified downstream customer records.
- APNIC, Recording Network Assignments — member responsibility for registering allocations, sub-allocations and assignments in the APNIC Whois Database.
- RIPE NCC, IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region — current distinction between allocations, sub-allocations and assignments in the RIPE service region.
- RFC 7020, The Internet Numbers Registry System — the hierarchical structure and coordination function of Internet number registration.
- RFC 4271, A Border Gateway Protocol 4 — the routing protocol basis for origin and path observations, which do not themselves disclose private commercial authority.
- RFC 9083, JSON Responses for RDAP — entity roles for registrant, technical, administrative, abuse, proxy, notifications and network operations contacts.
- RFC 9537, Redacted Fields in RDAP — machine-readable removal, partial presentation and replacement of sensitive registration fields.
- European Union, General Data Protection Regulation, Article 5 — data-minimisation principle used as a design reference, without claiming that one jurisdiction's law governs every global notice.
- Lu Heng, Why Registries Must Never Become Enforcers — the distinction between maintaining accurate registration and using registration services as punishment.
- Lu Heng, On Why RIR Enforcement Creep Is the Silent Killer of IPv4 Liquidity — the market risk of turning registration review into broad control of lawful commercial use.
- Lu Heng, On Why i.LEASE Exists — the operational and continuity risks that remain after a lease or transfer agreement is signed.

