Remco van Mook

Building a Stable Future for the RIPE NCC

Remco van Mook

12 min read


The RIPE NCC’s mission to support a free, open and global Internet is becoming increasingly demanding. This is raising costs at a time when there is less agreement on how they should be distributed. We need to agree on a roadmap for the decades ahead so the RIPE NCC remains stable and fit for the modern world.

Before I start, let me be very clear – while this article is intended as a call to action, it should not be read as a call for alarm. None of the points I address in this article are in need of urgent fixes. What we do need to do, however, is ensure that these points actually get addressed before they become urgent. At the last RIPE NCC Executive Board meeting, we agreed that it’s time to initiate a quite fundamental discussion on these matters and attempt to find a resolution on some of them – this article is the first step as part of this.

After 14 years on the RIPE NCC Executive Board, even though I’m proud of what we’ve accomplished over the years, I can see that much more pressing work needs to be done. What we need to consider now is the bigger picture about how to move the RIPE NCC forward. The past several years have shown us that we have far outgrown the current structure of our organisation and governance. New pressures in the RIR system and new stakeholders we are accountable to have changed the landscape we operate in. On top of this, the current funding model of the NCC is not sustainable. We now have to sit down and do the hard work of completely reinventing how we manage our membership and our funding, while taking into account how we can mitigate current risks and future-proof the RIPE NCC.

In this article, I want to explain some of the problems we’re facing and the ways that we can solve them. I will also publish more articles soon about other challenges facing the RIPE NCC. My goal is to start a conversation about these deeper questions – not just what you want right now, but where you want to see the RIPE NCC go as an organisation in the long term. And most importantly, how we can get there.

Increased scrutiny, greater responsibility and more requirements

The stakes are much higher for RIRs these days, and so are the risks. We have already seen what happens when an RIR is faced with serious legal and financial challenges through the troubles of our sister RIR, AFRINIC. Their problems should concern us as well, as the five RIRs collectively run a single, joint Internet number registry. Inconsistency anywhere damages the integrity of the whole system. The problems of AFRINIC had many causes, but they ultimately serve as an important reminder to make sure that our own governance is robust enough to withstand these kinds of challenges.

It is especially important that we do so because the Internet is now the domain of many different stakeholders. In the digital age, governments are naturally looking to regulate the Internet and how it affects their citizens' lives. We have seen increasing amounts of legislation proposed and passed in different countries and the EU, as well as guidelines published by international organisations. There has also been a longstanding effort by some governments to assume control of the RIR system. So if we fail to govern ourselves effectively, our failure to do so wouldn’t just be witnessed by the technical community, but by the many stakeholders now involved in Internet governance processes, who would be more than happy for a reason to step in and take over.

Our own system is robust, and something that those of us who have been involved in this over the years ought to take some measure of pride in. Times like these are when that work really pays off. However, problems have arisen as the world has changed outside of our organisation. One significant development is the widening of the group of people we are accountable to, which goes beyond just our members and the RIPE community to also include stakeholders like governments and law enforcement.

These groups have put more demands on us, as we have to meet applicable laws and regulations. At times, this has meant significantly more work, such as when we had to implement in-depth screening processes to comply with EU sanctions. We also must devote more time and effort to staying on top of Internet governance processes and the discussions taking place in different fora to ensure the technical community is not left out of major decisions that would affect our operations and our community.

In addition to this, the requirements we need to meet are also becoming increasingly complex; much of this stems in one way or another from IPv4 exhaustion, which has changed the RIPE NCC’s role from a basic technical administrator to something more akin to a fund manager with responsibility for assets worth over 20B EUR. With this comes new requirements for ensuring the security and stability of operations, as well as being able to deal with significantly increased risk – in terms of both fending off attempts from malicious actors to hijack elements of said 20B EUR assets, as well as limiting risks for legal liability if we make a mistake (which can have serious material impact).

All of the above is raising the stakes, and the cost of doing business for the RIPE NCC. And this is coming at a time where there is less agreement on who should pay for this and how those costs should be distributed.

We have outgrown our corporate structure

While a number of changes in the RIPE NCC's Articles of Association over the last years, such as changing the maximum number of Board members from five to seven, have made it more inclusive, resilient and transparent, it is still very much the same not-for-profit membership association under Dutch law as it was when it was incorporated in 1997 after being spun out of RARE.

The RIPE NCC was set up by the RIPE community, represented by a group of Contributors who had been, until then, funding its activities. Back then, the budget of the RIPE NCC was under 2M EUR (or ECU as it was then called), the total number of Contributors was under 1,000, and there were about 30 employees. Importantly, the role of the RIPE NCC was to administer community-set policy in an Internet without much government involvement, EU regulations or sanctions and with a monetary value of 0 EUR associated with the number resources they were administering.

Without turning this into too much of a history lesson, the decision to set up the RIPE NCC as a membership association and not some other legal structure was ultimately based on reducing potential tax liabilities and cost. Fast-forward to today, the RIPE NCC has around 21,000 paying LIRs, an annual budget of around 40M EUR and around 190 staff. It also now manages number resources that, in the aggregate, are worth around 20B EUR.

On top of all this, our mission to support a free, open and global Internet has become more and more demanding. Beyond simply keeping a registry, we have other commitments including being a Trust Anchor in the RPKI system, offering data, measurements and tools to help network operators run safer, faster, more resilient networks, providing training to operators and new LIRs, carrying out workshops for capacity building, hosting events for Internet stakeholders to meet and discuss important issues, serving as the RIPE secretariat, and more.

However, we are seeing less agreement among members about what services the RIPE NCC should offer and who should pay for them. Part of this is due to the changing membership, which is now more diverse and less homogenous in its priorities and perspectives than those 1,000 Contributors were back in 1997. The split between those members who have plenty of IPv4 and those who do not is a big part of this, and we are currently seeing the effects of this tension playing out in the present Charging Scheme discussion.

Many of these newer members perceive their situation to be relatively unfair when compared to older members with large amounts of IPv4 (which not only enables them to provide connectivity, but can increasingly be registered on the balance sheet as an asset). Newer members therefore increasingly object to paying the same as larger, older members. This is understandable, but it creates problems when we consider the stability of the RIPE NCC and its ability to carry out its strategy. Some members also seem to want a funding model in which they can pick and choose which services to pay for under different subscription models, so they can simply lease IP addresses and leave the rest of the RIPE NCC’s services for other members to finance.

Of course, we understand that most of our members simply want resources so they can get on with the real work of running their networks. But they are not paying to run a database - they are funding the entire RIR system and the shared commons the whole Internet runs on. Nobody else will pay to manage this system but governments, and members might not like the outcome if governments were to take over.

To avoid this scenario, the RIPE NCC needs lawyers and specialist staff who understand the registry. It needs information security specialists and developers to maintain the LIR Portal, security audits to demonstrate to external parties that the RIPE NCC has its house in order and shouldn’t be regulated, and so on. We also need to trust the professionals we hire to do their jobs properly and make solid decisions in the absence of clear guidance from the community. Every part of the RIPE NCC contributes to the health of the registry in different ways. And the RIPE NCC has always been more than just a registry. It is an important part of the overall Internet ecosystem, accountable to the RIPE community, to the governments in our service region and to the global system of Internet governance and Internet operations.

So how do we pay for all this?

The RIPE NCC recently published our draft Charging Scheme proposals for 2025. This has kicked off a lively discussion on our Members Discuss mailing list, as members debate the various models and the rationale behind them. What is disappointing is that we see much of the same points being debated that were raised last year.

Going forward, we can’t keep having the same discussion and the same lack of clarity from RIPE NCC members about what they want and how. We need their buy-in before we can plan for the future and design a RIPE NCC that is fit for the modern world. We also need to ensure that the RIPE NCC can continue to offer the services that are essential to meet its five-year strategy already in place.

After the failed attempt to introduce a category model in the Charging Scheme last year, we’re stuck with a model that served us well through the surge in LIRs in the last decade but is increasingly problematic as we look ahead. Following the runout of IPv4, we have endured swift LIR consolidation, drastically reducing our income. Alongside this, sanctions and banking restrictions are preventing us from collecting several million EUR in owed membership fees. Meanwhile, costs have increased even beyond inflation. In the current model, either the remaining members will have to be willing to cover a larger chunk of the costs, or costs will have to be cut by double-digit percentages, which will deal a blow to the RIPE NCC’s stability and its ability to carry out its mission and strategy.

More fundamentally, the NCC is bound by current policy to make distinctions between different kinds of resource holders - LIR, Legacy and Provider Independent. Most of these differences in flavour have zero remaining operational relevance, yet they do enforce a structure in which the NCC is forced to engage with resource holders. With the contractual chain for all types of resource holders already clarified and the registration data simplified, it should be possible to also come up with new models to improve the engagement of the NCC with the industry and, importantly, provide a way to better distribute costs.

Going forward, the RIPE NCC membership must commit to coming up with a stable and sustainable funding model for the organisation. We must find a way to have number resource holders fairly contribute – both towards maintenance of the registry itself and the commons it resides in. On our end, the RIPE NCC’s Executive Board and management team need to go back to first principles and, with the realities of today, design a new structure for the organisation that adequately addresses the sustainability of the organisation.

More of the same is no longer enough

We need to define a viable roadmap for the decades ahead, or someone else will define it for us, which we can be fairly certain will be worse than the current situation. There’s homework for a lot of stakeholders here - the RIPE community, the RIPE NCC membership - and the RIPE NCC Executive Board.

As I mentioned above, this article is simply an attempt to get this conversation started in broad terms. The plan is to discuss this in person during RIPE 88 later in May - I also hope to get a slot for a BOF on this topic from the RIPE Program Committee. But ahead of that, myself and my colleagues on the Board and at the RIPE NCC want to hear from both members of the RIPE NCC and others in the Internet community. I will share this article on a number of Working Group mailing lists and members-discuss, and we can start the discussion on the RIPE mailing list.

We have a long road ahead. But once we tackle these foundational issues, we can get back to our work with the confidence that the RIPE NCC is well-prepared for the years to come. We’ve done this before; we can do it again.


About the author

Remco van Mook Based in The Netherlands

Technology executive with a passion for Internet and how the pieces come together - going down that rabbit hole for 25+ years. Prolific policy author, current chair of the Connect working group in the RIPE community and board member of RIPE NCC since 2010.

Comments 7