Thanks for the quick response Clara! Perhaps my feedback was not too clear, no worries :) — Existing resource holders will indeed keep their status, but I see a couple of things here: 1) When / if you transfer IPv4 you’ll be faced with a decision (and I guess most people will choose the status over RPKI) 2) When / if the charging scheme changes and doesn’t take the status into account (e.g. legacy counts towards the tier / membership fee) people will cancel the RIPE NCC legacy agreement (and just lose IRR / RPKI) The only reason I brought up #2 here, despite it not being related to your policy proposal, is that since both are public documents enough entities may connect the dots and realize that their legacy status is far more valuable than before. I’d argue that this current proposal increases the value of legacy, especially when combined with a new charging scheme. I hope that’s clearer now. Finally, in my experience at least, money is always a good reason to follow anti-patterns :( It’s true that there’s increased risk from IPv4 legacy but I’d argue that for most entities that will be affected this risk is lower than the costs that are or will be associated with it. Legacy cannot (easily?) be touched today by RIRs (we can only make the holders’ life more difficult) while PA is far more “vulnerable” to new policies and changes. PA also carries some risk at the end of the day and comes without any warranty. Antonis
On 30 Oct 2025, at 17:38, Wade, Clara via address-policy-wg <address-policy-wg@ripe.net> wrote:
Antonis,
Thanks for taking the time to provide feedback.
It seems there’s a misunderstanding here. This policy proposal is forward-looking. We are not going to attempt to backfill/retrofit this change as we are trying to reduce overhead for the NCC, not generate more. We are simply trying to close a loophole that keeps getting exploited.
As I mentioned in my response to Dominik, changing the holdership without going through due process is an anti-pattern and it also goes explicitly against the RIPE NCC process for legacy resource transfers outlined here: https://www.ripe.net/manage-ips-and-asns/resource-transfers-and-mergers/tran...
As I said before, hopefully, anyone engaging in these practices understands the risks they are assuming (for them and their customers if they are a service provider) by doing so. I would hope the community strives to build reliable networks rather than go against database accuracy and routing security best practices to avoid paying very reasonable registration service fees to safekeep important resources (especially in the case of most organizations where they do not pose a material cost).
Thank you, Clara
From: Antonis Chariton <daknob@daknob.net <mailto:daknob@daknob.net>> Date: Thursday, October 30, 2025 at 11:06 AM To: "address-policy-wg@ripe.net <mailto:address-policy-wg@ripe.net>" <address-policy-wg@ripe.net <mailto:address-policy-wg@ripe.net>> Cc: "Wade, Clara" <clarawad@amazon.com <mailto:clarawad@amazon.com>>, "peter.hessler@zayo.com <mailto:peter.hessler@zayo.com>" <peter.hessler@zayo.com <mailto:peter.hessler@zayo.com>>, Max Emig <ripe@emigm.ax <mailto:ripe@emigm.ax>> Subject: RE: [EXTERNAL] [address-policy-wg] Early Feedback Requested on Upcoming Policy Proposal: Clarifying the non-transferability of legacy status
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hello everyone,
Although I’m not an expert in this area I’d also like to voice my agreement with Max’ point. Due to the nature of legacy IPv4 and ASes there’s no requirement for registration or notification of an RIR as far as I understand. That said, any sale can be conducted with a single contract between two parties and nobody is required to know about it.
As far as I see it, these holders will face the following dilemma: RIPE IRR + RPKI or lower membership fees and retaining this status / flexibility. I think for most organizations the choice will be clear and they’ll choose the second, with the database slowly drifting away from the truth and fewer spaces being covered by ROAs. If someone has or buys an IPv4 /16 they’ll probably choose to opt-out of higher membership fees and will be fine losing a ROA or using RADB / ALTDB.
This will also affect IXPs and other heavy users of IRR as more members / customers will require something in addition to RIPE’s database. If more and more entities start requesting the use of non-RIR sources of route objects this will undo progress for routing security.
Finally, I expect that such policy can affect any votes for the proposed charging scheme that you’ve been working hard for all this time. Legacy blocks are usually larger and they will increase the cost / tier of someone significantly, making them naturally opposed to this change even if they believe it’s the right direction.
Based on what Randy suggested and Marco’s information about the resources we spend I think keeping everything the same between LIRs and adding a transfer fee paid once as Capex / acquisition cost when e.g. the recipient is not an LIR would probably work better. If a fee cannot be applied, I’d also explore the possibility of only allowing inter-LIR transfers which means that either or both parties would have to create an LIR and the setup fee would more than cover the cost of the transaction, even if it’s only kept for a year and we get 1'000+1'800 = 2'800 EUR. That’s probably less than 1 EUR / address, reusable within the calendar year, and could cover the 0.5 FTE.
I understand that a legacy-free world would simplify things for everyone, especially RIPE, and it sounds more fair, but we need to model the impact of every policy like this one realistically. Are we certain that RPKI is that good and worth the large cost we plan to impose? Are we causing harmful side effects by re-increasing the reliance and dependency on data sources we know are not meeting the same quality criteria? My personal belief is that this RIR is investing a lot more than 0.5 / 1 FTE for the benefit of the Internet so even if we treat this as a public service it may still be worth it. As an LIR and IXP member and operator I’d get more value than the cost of leaving everything as is completely. It centralizes some costs to RIPE instead of externalizing them, but economies of scale work here.
Do you have any predictions as to which % of transfers or addresses will opt-in to this policy instead of just doing everything outside the RIR world? My expectation is that most transfers will opt-out at no cost to them and probably > 1 FTE worth of cost across all LIRs or IXPs / providers outside our service region.
Antonis
On 30 Oct 2025, at 16:17, Max Emig via address-policy-wg <address-policy-wg@ripe.net> wrote:
Hi Clara,
a large Tier 1 carrier in the ARIN region did not update the ARIN Whois in 20 years and did not offer RPKI ROA until very recently over legal concerns and maintained their own whois along with the non-authoritative RADB.
I would like to avoid any situations where organisations would have to choose between RIPE DB accuracy and routing security using RPKI ROA and legal-risks regarding out-of-region use among other concerns.
Thanks
Max
On 30 October, 2025 15:29 CET, "Wade, Clara" <clarawad@amazon.com> wrote:
Hi Max,
I’m a little confused by the counter-argument here. Could you clarify how you believe this proposal would this lead to out-of-date data and less RPKI adoption?
1. Keeping legacy status when the resources are no longer held by the organization that received these pre-RIR administration is not really keeping the database accurate/up-to-date. 2. Legacy resource holders by default do not have access to RPKI. (You may get access by signing an agreement with the NCC, but unless you do, RPKI services are not included in the basic package offered to legacy resource holders who are not members.)
Thank you, Clara
From: Max Emig <ripe@emigm.ax> Date: Wednesday, October 29, 2025 at 4:54 PM To: "Wade, Clara" <clarawad@amazon.com> Cc: "address-policy-wg@ripe.net" <address-policy-wg@ripe.net>, "peter.hessler@zayo.com" <peter.hessler@zayo.com> Subject: RE: [EXTERNAL] [address-policy-wg] Early Feedback Requested on Upcoming Policy Proposal: Clarifying the non-transferability of legacy status
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Good evening all,
I oppose this policy proposal as it may lead to an increase on out-of-date data and less RPKI adoption.
However, I would support adding a fee or another disincentive for keeping legacy status.
Thanks
Max
On 27 October, 2025 17:12 CET, "Wade, Clara via address-policy-wg" <address-policy-wg@ripe.net> wrote:
Hello everyone,
Following the suggestion of the RIPE NCC, we are seeking early feedback on an upcoming policy proposal we currently have in draft status.
As mentioned last week after the Registration Services update from Marco at the AP-WG session - Peter Hessler and I, members of the now concluded Charging Scheme Task Force, are drafting a policy proposal to clarify the non-transferability of legacy status to address the issues of increasing overhead for the RIPE NCC, increasing market speculation around a scarce resource and its impact on the adoption of best practices like RPKI. Our proposal will modify these existing policies:
1. “RIPE Resource Transfer Policies” (RIPE-807) with additional clarifications in the Transfer Restrictions section and the Inter-RIR policy section. M&A/org restructuring transfers will be explicitly excluded. 2. “RIPE NCC Services to Legacy Internet Resource Holders” (RIPE-639) with modifications to remove the language implying new holders can keep legacy status after transfer.
For background, legacy status was meant to indicate when an Internet resource had been directly assigned to the holder by IANA, before the RIRs were established. As such, ARIN, LACNIC and AFRINIC policies dictate that IPv4 legacy resources will no longer be regarded as legacy resources after a policy transfer takes place (excluding M&A transfers). RIPE is the only RIR that currently allows the recipient of a legacy transfer the ability to inherit the legacy status that was assigned to the original holder by IANA. This is currently being used as a loophole by certain actors to opt out of having a contractual relationship with the RIPE NCC in order to circumvent:
RIPE registration services fees. The 24-month transfer lock that was introduced by this working group to prevent flipping of scarce resources. 3. Needs-based inter-RIR transfer policy utilization requirements in the case of transfers from another RIR to a recipient of a legacy resource transfer in the RIPE region.
Following the publication of the Report of the RIPE NCC Charging Scheme Task Force, the membership learned that the RIPE NCC currently needs to dedicate a 0.5FTE to process legacy transfers. There are currently around 2,400 legacy resources held by 1,600 holders with no contractual relationship with the RIPE NCC (neither direct nor via a sponsor). That is around 40M IPs total or 5% of RIPE IPv4 space. In the last four years, NCC staff have processed between 370-280 legacy transfers per year, of which roughly a third do not involve a party with a contractual relationship with the NCC. Legacy transfers are more labor-intensive than other transfer types because the due diligence process requires the Registration Services team to manually source and verify pertaining documentation without the benefits of the automated processes for standard allocations. Legacy transfers take an average seven working hours to process when neither party has a contractual relationship with the NCC (around a third of legacy transfers), and six working hours to process when the parties have a contractual relationship with the NCC. If resources lost their legacy status after a transfer, these would then become standard allocations and staff could leverage enhanced compliance checks and automated processes to facilitate any future updates/transfers. These just take 1-3 working hours to process instead. Given that the task force was deemed out of scope for a policy change to address this gap, this is being brought to the attention of the Address Policy Working Group for action.
If there are any concerns, questions or considerations you would like to bring up before we submit this proposal for discussion in the next week or two, we would really appreciate hearing from you so we can address these and/or incorporate them.
Thanks in advance, Clara Wade
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/address-policy-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/address-policy-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/