IP Legacy Space Explained

In the early 1980s, it was common for the Internet Assigned Numbers Authority (IANA) to allocate organizations large quantities of IPv4 addresses. As a result, some companies now possess millions of IPs that are not visible on the internet or that no one uses. 

Since IPv4 addresses became a commodity, many organizations have been reluctant to disclose the ownership of unadvertised IPs. The reason behind this unwillingness is fear of losing the IPs. 

Meanwhile, Regional Internet Registries (RIRs) are trying to locate these resources to mitigate the IPv4 address shortage. However, the RIRs face difficulties when they attempt to contact early registration – also known as legacy IP space – holders. 

Continue reading to learn what legacy IP space is and how RIRs are trying to reclaim it.

Legacy address space is the IPv4 address space distributed before the establishment of the RIR system. 

In 1993, the National Science Foundation and Network Solutions Inc. developed the InterNIC project in an attempt to separate network support for the commercial internet from the U.S. Department of Defense.

InterNIC services provided the registration of IPv4 addresses, domain names and autonomous system numbers (ASNs). Before then, IANA allocated IPv4 addresses.

InterNIC made sure to adhere to the internet community standards when it directly allocated IP address blocks to ISPs (internet service providers) and certain end users. However, there was no contractual agreement between the registries and legacy resource holders.

Eventually, RIR communities began discussing how to manage IPs and ASNs at a regional level. As a result, the Regional Internet Registry system emerged. 

RIPE NCC was the first RIR to emerge in 1992. APNIC succeeded it in 1993, ARIN in 1997, LACNIC in 2002 and, finally, AFRINIC in 2004. All act as independent nonprofit corporations authorized to administer the IPv4 address space and maintain the records within their service regions.

Even though the legacy IP space assignments occurred prior to the inception of RIRs, they quickly assumed full responsibility. 

The legacy IPs account for about 35% of the total IPv4 address space. However, many legacy block holders have many unused or unadvertised IPv4 addresses. To make sure that IPs do not go to waste, RIRs attempt to retrieve them. 

In 2010, RIPE NCC looked through all legacy internet number resources to see if they were routed on the internet. They found that around 730 /16s of the IPv4 address space held by 400 organizations were not visible on the global routing table. 

The registry decided to contact legacy resource holders and ask if they were willing to return the unused space. 160 updated the information in the RIPE Database and 16 address holders returned the address space back to RIPE NCC.

In 2020, APNIC found around 50 million IPv4 addresses. The majority were allocated to organizations under previous policies but were never put to use. Around 370,000 addresses were allocated for reasons that are no longer considered valid. Another 2.3 million were issued before APNIC was authorized to assign IPv4 addresses and can be distributed again because they have not been used for a sufficiently long period.

The primary reason why RIRs are trying to reclaim the IP space is the exhaustion of IPv4 addresses. The original architecture of the fourth version of the Internet Protocol contains 4.3 billion possible addresses. While in the early days of the internet it seemed like a sufficient amount, the growing number of users, always-on devices, mobile devices and virtual machines led to the depletion of the IPv4 pool. 

Many legacy holders understand the value of scarce IPv4 resources and return the unused IPs themselves. RIPE NCC lists these reasons why legacy IPv4 addresses come back to them:

If IPv4 resources are so scarce, can the American Registry for Internet Numbers, Asia Pacific Network Information Center and other RIRs track down IP holders and reclaim unused IPs without their approval? 

In North America, this has been a major concern since ARIN introduced a Legacy Registration Services Agreement (Legacy RSA or LRSA) program in 2007.

Every organization that obtained IPv4 addresses after 1997 – after ARIN’s inception – had to agree to the resource utilization policies by entering into a Registration Services Agreement (RSA). By imposing the Legacy RSA, ARIN attempted to merge legacy and non-legacy IP allocation policies. 

The signing of the agreement is completely voluntary, and those who refuse to sign it continue to receive these services and benefits from ARIN:

To encourage legacy holders to enter the Registration Services Agreement, ARIN assured these services and advantages:

ARIN guaranteed the grandfathering of certain protected rights, such as continued use of IP address services like in-addr and Whois listings with no extra charge. In addition to that, ARIN offers reduced annual fees compared with those of ARIN’s regular IP address holders and future fee waivers for those who return the unused IPv4 address space. 

Despite the added benefits, the LRSA agreement states that applicants must waive any and all claims of ownership in their IP addresses. While this part of the agreement is concerning, ARIN stated publicly that it has no intentions to reclaim unused IPs.

In fact, the RIR later updated the agreement to make it clearer and reassured that “ARIN does not have contractual authority to take any adverse action against an LRSA holder if they are not currently using their legacy resources.” 

The same rules apply to owners who choose to update their Whois records. In other words, ARIN does not take away the IPs with a legacy status when someone updates the records. 

As a matter of fact, ARIN encourages every organization to update Whois records for these two important reasons:

Out of date Whois records have become a prime target of cybercriminals with interest in hijacking IP addresses. According to ARIN, 53% out of the roughly 25,000 legacy networks registered in ARIN’s Whois have either no associated Point of Contact (POC) or have a POC that has never been verified by ARIN (referred to as an Invalid POC). Hijackers often use these stale records for illegal activities such as spamming and spoofing.

Another thing to note is that updated Whois information is useful when transferring unused resources to other organizations. Before the transferring of IPv4 addresses is possible, ARIN staff need to find and verify the correct and up-to-date Whois information. 

The exhaustion of the IPv4 address pool has encouraged RIPE NCC, ARIN and other members of the regional registry system to find unused legacy address space allocations. Once RIRs locate these resources, they contact resource owners and ask them to either return IPv4 addresses originally assigned to them or begin advertising them. 

Unfortunately, organizations with large quantities of used IPs assigned to them are often unwilling to disclose the ownership due to the fear of losing the resource. Some are even reluctant to update Whois information, which leaves their resources vulnerable to hijacking. 

Ultimately, RIRs aren’t forcefully revoking legacy IP addresses. They only reclaim the resource once they find that someone violated the registration policies. For instance, when IPs are assigned without a valid reason or when they are not put to use.