RIR Accountability Q&A

1.1. Delegation of authority

1.1.1. What is the (legal) basis of the RIRs’ authority?

Communication between devices using the Internet Protocol relies on identifying the appropriate devices; IP addresses serve the purpose of identifying devices in a network. Therefore IP addresses have to be unique. To ensure that a unique IP address is attached to each device, IP addresses must be distributed and registered in an organised manner, a requirement recognized from the early years of the Internet.

Up until the early 1990s, all IP address registration was managed on a global basis, via the Internet Assigned Numbers Authority, or IANA (initially just one man, Jon Postel, an American computer scientist). In the late 1980s, the need was recognized for a new system of allocation and registration of IP addresses that would meet the demands of network operators in different regions.

In 1990, a new system was proposed (RFC 1174: IAB Recommended Policy on Distributing Internet Identifier Assignment and IAB Recommended Policy Change to Internet “Connected”) that suggested the creation of an Internet Registry system responsible for the allocation and the registration of IP addresses and distributed among numerous regional registries. Each Regional Internet Registry (RIR) would allocate and register IP addresses according to criteria determined by the relevant stakeholders in each geographic region.

The RIPE NCC began allocating and registering IP addresses to members in Europe in 1992, becoming the first RIR. APNIC, the second RIR, was established in Tokyo in 1993. The third RIR, ARIN, was established in the United States in 1997. LACNIC was subsequently was established in Uruguay in 2002 and AFRINIC was incorporated in Mauritius in 2004.

In 1996, a Best Current Practice document was approved, which provided general rules and guidelines governing the distribution and registration of IP addresses (RFC 2050: Internet registry IP allocation guidelines). This document defined the RIR system by describing its structure, the hierarchy of the stakeholders in this system and their relationships with each other.

The current status and role of RIRs is comprehensively described in RFC 7020: The Internet Numbers Registry System, an IETF document developed through rough consensus and published in 2013.

1.1.2. How are RIRs created?

Each of the five Regional Internet Registries has been created based on the needs and consensus agreement of the community that it serves (see section 10, “Regional IRs” in RFC 2050). While it has been generally agreed that there should be a relatively small number of RIRs, the current system of five is capable of being modified.

The procedure for the creation of a new RIR is laid out in detail in the global Internet policy document ICP-2: Criteria for Establishment of New Regional Internet Registries, which defines a number of principles for the formation of a new RIR. This policy has already guided the formation of AFRINIC and LACNIC, the two most recently formed RIRs.

Fundamentally, a new RIR must have the bottom-up support of the regional community being served

1.1.3. Does ICANN have a role in this process?

The five RIRs, acting together as the NRO, signed a Memorandum of Understanding with ICANN in 2004, the ICANN Address Supporting Organization (ASO) Memorandum of Understanding. This updated earlier versions of this MoU (1999, 2001, 2002) to which the ICP-2 document refers. According to these two documents, the ASO Address Council is responsible for providing recommendations to the Board of ICANN concerning the recognition of new RIRs, with final ratification of such recognition being the responsibility of the Board of ICANN.

1.1.4. Do governments have a role in this process?

The RIR communities make policy via open, transparent and bottom-up processes. Governments and their representatives are able to participate in this process, but do not have a privileged role as such. Given the important role that governments play in shaping public policy relating to the Internet, their contribution to the RIR policy processes is important, and the five RIRs engage in a range of outreach activities to encourage greater government participation.

Within the ICANN community, governments can make a specific contribution via the ICANN Governmental Advisory Committee (GAC). The specific roles and rights of the GAC are detailed in the ICANN By-laws.

1.1.5. How are disputes between RIRs and ICANN handled?

Article 7 of the ICANN Address Supporting Organization (ASO) Memorandum of Understanding provides that:

In the event that the NRO is in dispute with ICANN relating to activities described in this MoU, the NRO shall arrange arbitration via ICC [International Chamber of Commerce] rules in the jurisdiction of Bermuda or such other location as is agreed between the NRO and ICANN. The location of the arbitration shall not decide the laws to be applied in evaluating this agreement or such dispute.

1.1.6. How are disputes between RIRs handled?

The NRO Memorandum of Understanding, signed by all of the RIRs covers the possibility of a dispute between RIRs over implementation of a global policy:

Arbitration

a. In the event that an RIR is in dispute with the NRO relating to implementation of global policies, or with another RIR relating to the implementation of a coordinated policy, the NRO shall, at the request of one RIR, notify the others and arrange arbitration via ICC rules in the jurisdiction of Bermuda, or such other location as is unanimously agreed upon by each of the parties to the arbitration.

b. An organization which believes it has met the criterion of Section 14 [recognition of a new RIR], but is refused the same legal status by the Executive Council in Section 3, may request and will be granted the right to arbitration pursuant to this provision.

This MoU also provides an Advisory Appeal Process (section 9), establishing an Advisory Appeals Panel made up of community members (not RIR employees) from each RIR service region that may hear any complaints relating to failure on the part of an RIR, the NRO or an NRO suborganization to follow its documented policy development process concerning global IP number resource policies, and advise the NRO Executive Council.

1.2. Redress mechanism

1.2.1. To whom are RIRs accountable, and how do they report to their stakeholders?

As not-for-profit associations according to the specific laws in their respective host countries, the RIRs are accountable to their membership and provide periodical reports on the finances and activities to both the membership as well as the Internet community. Details of this reporting can be found in the RIR Governance Matrix, specifically section 13.

As Regional Internet Registries, filling the role described in RFC 2050 and subsequent RFCs, each RIR is also bound to execute the policies developed by their communities through open, transparent and bottom-up policy development processes. This obligation is detailed in the agreements that each RIR signs with their members and non-members, which can be found in sections 3 and 4 of the RIR Governance Matrix.

1.3. Withdrawal of authority

1.3.1. Who can withdraw an RIR’s authority?

RFC 7020: The Internet Numbers Registry System, published in 2013 notes that further evolution of the Internet Numbers Registry System will occur via open, transparent and bottom up decision making processes, and that specifically:

“Discussions regarding the evolution of the Internet Numbers Registry System structure, policy, and processes are to take place within the ICANN framework and will respect ICANN’s core values … [that] encourage broad, informed participation reflecting the functional, geographic, and cultural diversity of the Internet at all levels of policy development and decision making, as well as the delegation of coordination functions and recognition of the policy roles of other responsible entities that reflect the interests of affected parties… The discussions regarding Internet Numbers Registry evolution must also continue to consider the overall Internet address architecture and technical goals referenced in this document.”

As in the case of recognizing a new RIR, withdrawal of authority or closure of an RIR would require the consensus agreement of the community, expressed via a global policy as described in the ICANN Address Supporting Organization (ASO) Memorandum of Understanding.

1.4. The “community”

1.4.1. How do we define “the community” and ensure that the interest of all relevant parties are represented?

The RIR communities operate according to several principles:

• Community discussions and decision-making processes are open for everyone to participate
• All community processes are transparent
• All community processes are driven in a bottom-up fashion, meaning that policy changes are the result of concerns or initiatives from members of the community
• Decision making is based on rough consensus

Openness
The RIR communities have no formal membership and no participation fees. They are open to anyone that wants to participate in the policy-making process and related discussions.

To participate in the discussions and the policy-making process, people can subscribe to the public mailing lists created for these purposes. Discussions also take place at RIR meetings, which are also open for everyone to participate physically or remotely.

While these discussions occur at a regional level, the Internet itself has no geographic limits and interconnection with networks in other geographic areas is an important precondition for the proper functioning of the Internet. Therefore, participation in RIR discussions of people from other regions is encouraged. Anyone with an interest in the development of RIR policies is allowed and encouraged to participate in the policy-making process.

Transparency
The five RIRs and their communities make every effort to ensure that all interested parties have comprehensive access to relevant information relating to RIR discussions. Transparency is accomplished in the following ways:

• Developments are announced through the mailing lists
• Discussions taking place through the mailing lists are archived in a comprehensive way and are publicly available
• Discussions and developments that take place at RIR meetings are archived and publicly available on the relevant RIR website
• Developments relating to policy are archived and publicly available

Bottom-up process
RIR policy-making processes are designed so that anyone with an interest in participating can do so. Anyone can propose a policy or an amendment to a current policy. Once a participant submits a policy proposal, other participants can submit their comments, support or objection to the proposal. This process adheres to established timeframes within which anyone can submit their feedback to the proposal. If the community needs more time to consider a particular proposal, these timeframes can be expanded.

Consensus
For a policy proposal to become an RIR policy (or amend an existing policy), consensus must be reached. This means that there should not be any arguments or objections that have not been addressed. It is the task of the community leadership (e.g. working group chairs, advisory council members) to assess that all arguments have been addressed and there is wide enough support to declare consensus on the proposed changes.

The IETF has considered the definition of “rough consensus” in RFC 7282: On Consensus and Humming in the IETF.

1.4.2. How much overlap is there amongst the communities of the RIRs?

Each community has its own members and singularity. However, there are a significant number of participants that are active in more than one regional community. Several global stakeholders participate in all five regional communities, either directly or via regional teams. And there are numerous individuals that actively participate in policy discussions in different regions, driven by either business requirements or personal interest.

There is also some overlap in RIR membership: companies who own or operate network infrastructure in more than one region may become members of more than one RIR in order to obtain the addressing resources they require.

2.1. Structure

2.1.1. What is each RIR’s corporate and management structure?

The corporate and management structure of each RIR is described in their bylaws and operational documents as outlined in section 1 of the RIR Governance Matrix (RIR Bylaws and Operational Documents).

2.1.2. Within each RIR, what are the requirements to become a member?

To become a member of an RIR, one must sign an agreement with the relevant RIR, where the specific conditions for each RIR are specified. The membership agreements for each RIR are outlined in section 3 of the RIR Governance Matrix (Contractual Relationship with Members).

2.2. Distribution and registration of Internet number resources

2.2.1 Who defines the way in which RIRs distribute Internet number resources?

The RIRs distribute Internet number resources in line with the policies adopted by the communities in each RIR region. The way these policies are adopted is defined in the Policy Development Process applicable for each RIR region, as outlined in section 2 of the RIR Governance Matrix (Regional Policy Development Processes).

2.2.2. What are the contractual requirements for the distribution and the registration of Internet number resources by RIRs?

Each RIR has different contractual requirements for the distribution of Internet number resources. In principle RIRs distribute Internet number resources to their members but they may also distribute them to non-members. The details of the contractual requirements for each RIR are outlined in section 4 of the RIR Governance Matrix (Terms and Conditions for Internet Number Resources).

RIRs may also register Internet number resources distributed before the creation of the RIR system (historical or legacy resources). The details of the contractual requirements of each RIR for the registration of such resources are outlined in section 5 of the RIR Governance Matrix (Terms and Conditions for Historical Resources).

2.2.3. How do RIRs ensure that their registry is accurate, correct and up-to-date?

RIRs have certain procedure in place in order to perform due diligence checks regarding the registration of Internet number resources and any updates to this registration. The details of the due diligence procedure of each RIR are outlined in section 6 of the RIR Governance Matrix (Due Diligence and Resources Maintenance).

In addition, RIRs perform audits in an effort to ensure that registration data are accurate, correct and up-to-date. RIRs may also facilitate reporting of inaccurate registration data by external parties. The details of the audit procedure of each RIR is outlined in section 7 of the RIR Governance Matrix (Auditing of Internet Number Resource Registration Records).

2.2.4. Under what conditions can RIR deregister Internet number resources?

RIRs may deregister Internet number resources in accordance with each RIR’s procedures as outlined in section 9 of the RIR Governance Matrix (Deregistration of Internet Number Resources).

2.2.5. Under what conditions do RIRs provide access to their “whois” databases? How do RIRs handle abuse and privacy concerns with regards to their “whois” database?

Access to each RIR’s “whois” database is subject to specific terms, which are outlined in section 10 of the Governance Matrix (Use of the whois Database and Privacy issues).

This section also outlines the way each RIR handles abuse and privacy concerns related to the “whois” databases.

2.3. Transparency

2.3.1. How do RIRs ensure their activities are transparent? How do RIRs demonstrate that their activities are supported by the community or their members?

Each Regional Internet Registry is a not-for-profit, membership-based organisation. As such, they are legally required to report on their activities via documents such as Annual Reports and Activity Plans.
Each RIR has its own specific processes for reporting to the community and obtaining community feedback. Annual Reports along with regular reporting at RIR community meetings, and some RIRs also make use of stakeholder surveys and focus groups are used to report to the community, obtain community feedback and determine community feeling on certain issues or organisational initiatives.

Links to these are available in sections 13 of the RIR Governance Matrix
(Budget and Activity Planning).

2.4. Jurisdiction, dispute mechanism

2.4.1. Under what jurisdictions do RIRs operate? How does an RIR’s jurisdiction affect its operations?

Each RIR operates under the sole legal jurisdiction of the economy in which it is based:

AFRINIC: Mauritius
APNIC: Australia
ARIN: The United States of America
LACNIC: Uruguay
RIPE NCC: The Netherlands

RIR operational activities must be in accord with the legislation of the national economy in which it is based. Specific legal areas of particular relevance include data protection legislation and corporate law.

2.4.2. If an RIR violates its own policies and procedures or fails to fulfill its mission, what options does an aggrieved party have available for relief?

Each RIR has appeal or arbitration processes defined in its By-Laws. Links to these for each RIR are included in Section 8 of the Governance Matrix (Disputes regarding Registration of Internet Number Resources).

2.5. Sharing of information with third parties

2.5.1. What type of information do RIRs share with Law Enforcement Authorities (LEAs) and under what conditions?

RIRs may have to share public or non public information with Law Enforcement Authorities. RIRs may outline the way they handle relevant requests by LEAs. Section 11 of the RIR Governance Matrix provides more information about this.

2.6. Third party reviews, audits

2.6.1. How do RIRs manage security issues? What outside, third party review or auditing, if any, is performed on an RIR’s activities and processes?

RIRs may be audited by external parties with regards to their financial activities or their operations. RIRs may also allow third parties to report security incidents with regards to their services. See sections 12 of the RIR Governance Matrix (Security Management and External Auditing).