IPv4 scarcity: Why 700+ LIRs are stuck waiting

Blog 14 min read

With 713 Local Internet Registries stuck on the IPv4 Waiting List, the RIPE NCC confirms that address scarcity is now a hard operational constraint.

Relying on legacy allocation models without reliable RPKI CA validation invites routing chaos as IPv4 exhaustion reaches critical levels. Network operators must transition from theoretical security to active vulnerability management to protect their infrastructure. This article details the mechanics of ASPA protocols and explains why Route Origin Authorizations currently cover only a fraction of global address space.

Policy ripe-847 mandates the revocation of non-functional certificates to reduce Relying Party workloads. We examine the stark contrast in security adoption: while ROAs protect 76% of IPv4 space, IPv6 coverage lags significantly behind. Finally, the analysis covers practical steps for implementing routing security while navigating the complexities of IPv6 deployment models like IPv6-Only versus IPv6-Mostly.

The Critical State of IPv4 Exhaustion and IPv6 Deployment Models

Defining the 0.0005 /8s Reality and Recycling Model

The RIPE NCC IPv4 pool sits at exactly 0.0005 /8s. This number signals the end of standard allocations. Networks must pivot to IPv6 architectures immediately. Returned addresses now feed a waiting list rather than a free pool. Exactly 713 LIRs wait on that list today. The first entity in line has waited 441 days. New Local Internet Registries entering this system face tight constraints that fundamentally alter network design. Dual-stack implementations now depend on the secondary market for legacy connectivity, where 1,913,088 IPv4 addresses were transferred in May alone.

This shift creates friction between maintaining IPv4 compatibility for legacy clients and the economic reality of acquiring addresses. IPv6-only architectures eliminate address scarcity yet require strong translation mechanisms for remaining IPv4-dependent services. Optimizing existing IPv4 resources through strict internal policing yields better immediate returns than purchasing expensive new blocks. Growth strategies must focus on efficiency and address reuse rather than expansion. Routing security evolves alongside these changes, with 76% of IPv4 address space and 44% of IPv6 address space now covered by Route Origin Authorizations (ROAs).

Strategic Infrastructure Sovereignty via EU Cloud Exit

Digital sovereignty mandates that critical internet infrastructure operates independently from foreign legal jurisdictions to guarantee service continuity. Recent community discussions highlight how digital sovereignty raises legitimate questions about dependency, durability, and control. Building capacity and meaningful choice strengthens the Internet. However, pursuing control over the common layer that keeps the global Internet interoperable introduces risk.

This concept drives the RIPE NCC to execute a strategic exit from US-based cloud hyperscalers between 2026 and 2028. The initiative, valued at €5M, specifically targets compliance with the EU's NIS2 directive while mitigating geopolitical supply chain risks.

IPv6-only vs IPv6-mostly Deployment Strategies

IPv6-only and IPv6-mostly architectures serve different environments. These models are not interchangeable. Legacy IPv4 paths often possess stronger origin validation than newer IPv6 deployments. The RIPE NCC has implemented policy ripe-847, "Revocation of Persistently Non-functional Delegated RPKI CAs," providing a mandate to revoke resource certificates associated with long-term non-functional delegated Certificate Authorities to reduce Relying Party workloads.

Migrating to IPv6-only introduces operational considerations when external partners lack comparable RPKI maturity. Lower adoption rates of route origin authorizations in IPv6 environments mean traffic may traverse unvalidated paths more frequently than in IPv4. Network architects must maintain strong filtering policies regardless of the chosen deployment model. Policy evolution continues to shape decisions. Policy proposal 2024-01, "Revised IPv6 PI Assignment Policy," advances to the Review Phase. Matching the right approach to the right use case matters. Abandoning IPv4 entirely before security parity is achieved exposes networks to potential hijacking on less-secured IPv6 segments. InterLIR assists clients in optimizing these hybrid configurations to maximize available resources. Unused IPv4 assets bridge the gap until global validation metrics align.

Mechanics of Routing Security via RPKI and ASPA Protocols

ROA Coverage Mechanics and Validation States

Route Origin Authorizations define the specific mapping between an IP prefix and an authorized Autonomous System number. Routers evaluate this cryptographic binding to assign one of three validation states: Valid, Invalid, or NotFound. When a BGP announcement lacks a matching ROA, the route enters an ambiguous state that many networks still accept by default. This reliance on implicit trust creates a vulnerability chain where unverified paths bypass security filters intended to block hijacks. Validating these records requires operators to actively fetch and parse certificate chains from RIR repositories.

A new policy, ripe-847 "Revocation of Persistently Non-functional Delegated RPKI CAs," has been implemented to mandate the revocation of resource certificates associated with long-term non-functional delegated Certificate Authorities, a measure designed to reduce Relying Party workloads. Without verified origin attestations, traffic engineering efforts may fail silently as peers filter unattested announcements. A series of vulnerabilities reported through the RIPE NCC bug bounty programme revealed weaknesses across multiple services. Secure your current IPv4 assets by ensuring every announced prefix has a corresponding, non-expired authorization object.

ASPA Functionality for Path Hijacking Prevention

Operators can now visualize ASPA validation outcomes using a dedicated tool built to inspect path authorization logic on live networks. This utility allows engineers to simulate how specific AS path segments would be treated if strict filtering policies were enforced today. Unlike origin-only checks, this mechanism validates the entire chain of custody between the source and the receiver.

The core workflow involves providers publishing signed records authorizing which customers may announce prefixes through their infrastructure:

  1. An upstream provider generates a cryptographic signature for authorized downstream peers.
  2. Routers fetch these records to build a local authorization database.
  3. Incoming updates are cross-referenced against this list before acceptance.
Validation Result Action Required
Valid Accept the route update
Invalid Reject the announcement
NotFound Apply default policy

Widespread adoption faces friction because adoption rates vary across the network system, leaving gaps in the global validation mesh. A network operating without these records remains vulnerable to sophisticated inter-domain leaks that bypass standard origin checks. This proactive stance secures the limited IPv4 assets you currently manage against increasingly complex hijacking attempts.

Vulnerability Chains in Routing Security Services

Weaknesses across multiple services often link together to form dangerous vulnerability chains that compromise routing infrastructure. The organization addressed these issues and analyzed the handling of complex security reports spanning teams and systems. Addressing such risks demands more than patching individual bugs; it requires understanding how a failure in one service enables attacks on another. Operators must recognize that routing security depends on the weakest link in this chain, not the strongest protocol.

  1. Identify cross-service dependencies in your BGP announcement validation flow.
  2. Map how certificate authorities interact with latency monitoring tools.
  3. Simulate failure scenarios where one compromised service triggers broader outages.

Fixing a single vulnerability often leaves the chain intact if upstream or downstream services remain unpatched. This reality makes complex security reports critical for understanding full attack surfaces. Without complete analysis, operators risk false confidence in their network durability. The tool LatencyMON has been rewritten from the ground up with a refreshed interface and new methods to group and explore RIPE Atlas latency data.

Operationalizing Routing Security and Vulnerability Management

Application: RPKI Deployment Mechanics and Validation States

Conceptual illustration for Operationalizing Routing Security and Vulnerability Management
Conceptual illustration for Operationalizing Routing Security and Vulnerability Management

Deploying Resource Public Key Infrastructure starts by publishing signed Route Origin Authorizations that cryptographically bind your IP prefixes to specific Autonomous System numbers. Routers then fetch these records from trust anchors to assign one of three validation states: Valid, Invalid, or NotFound. When an announcement lacks a matching ROA, it falls into the NotFound category, which many networks still accept by default despite the inherent risk. This reliance on implicit trust creates a vulnerability chain where unverified paths bypass security filters intended to block hijacks.

Industry analysis highlights a continued emphasis on enhancing routing security through RPKI to prevent hijacking, reflecting a shift where registries become active participants in routing hygiene. However, validation only works if operators actively configure their routers to reject Invalid routes rather than just logging them. Without this final enforcement step, the cryptographic signatures provide visibility but no actual protection against misconfiguration.

  1. Generate a key pair within your RIR portal.
  2. Create a ROA specifying the prefix and max length.
  3. Configure your router to fetch and enforce the RPKI data.

While the majority of IPv4 space now has some coverage, the operational value remains zero until networks enforce the data they collect.

Deploying ASPA Tools and LatencyMON for Network Visibility

Engineers now visualize ASPA logic using a dedicated tool to inspect path authorization on live networks. This utility simulates how specific AS path segments behave under strict filtering policies before production enforcement. Unlike origin-only checks, this mechanism validates the entire chain of custody between source and receiver. However, widespread adoption faces friction because only a fraction of tier-2 operators currently publish the necessary upstream lists. The cost is measurable: networks skipping this coordination risk rejecting valid traffic once peers enable default-deny policies.

Simultaneously, the rewritten LatencyMON offers a modern interface to group RIPE Atlas data more effectively. Operators can isolate latency spikes correlated with routing changes to distinguish physical congestion from protocol failures. Training resources, such as the BGP Routing Security course, provide necessary context for interpreting these complex datasets correctly. Without such context, teams may misattribute performance degradation to hardware limits rather than misconfigured security policies.

Feature Legacy Approach Modern Tooling
Data Grouping Static time-ranges Flexible path attributes
Codebase Deprecated libraries Secure, refreshed core
Visibility Limited to ROAs Full ASPA simulation

Practical deployment requires treating security reports as systemic indicators rather than isolated bugs. Vulnerability chains often span multiple services, meaning a fix in one area might expose weaknesses in another. Proactive monitoring reveals hidden dependencies that standard uptime checks miss entirely.

Vulnerability Reporting Chains and Bug Bounty Workflows

Effective vulnerability reporting starts by establishing a clear path for cross-team coordination when flaws span multiple systems. Complex security incidents often link separate weaknesses into dangerous chains that single-department fixes cannot resolve.

Report Scope Primary Risk Required Action
Single Service Localized exploit Patch and verify
Multi-Service Vulnerability chain Coordinate response
Routing Logic Path hijacking Validate AS path

A bug in one service frequently enables attacks on another, creating systemic exposure beyond isolated code errors. The RIPE NCC bug bounty programme recently highlighted these risks by exposing how interconnected flaws require unified handling across distinct technical teams. Organizational silos create the real bottleneck: one group patches a hole while another remains unaware of the triggered cascade. This fragmentation allows routing security gaps to persist even after individual components are secured. Establishing a unified workflow ensures that fixing one node does not leave the wider BGP announcement infrastructure exposed to chained exploitation. Training resources help operators understand these dependencies, such as upcoming sessions on BGP Routing Security that address operational competence.

Strategic Community Engagement and Organizational Governance

Defining the RIPE 93 Hybrid Participation Model

Sofia, Bulgaria, hosts RIPE 93 from 26-30 October 2026 as a hybrid gathering accepting physical and remote talks. This dual-track design lets network operators share technical results from afar while keeping a central spot for face-to-face dialogue. The format clearly separates main hall activities from the distributed local hub tests of previous years.

  • In-person track: Centers on direct peering deals and working group consensus inside the Sofia venue.
  • Virtual track: Permits global input on papers and policies without travel hurdles.
  • Local hubs: Expand reach by gathering regional clusters that link remotely to the primary session.
  • Hybrid coordination: Bridges the gap between remote viewers and onsite attendees.
  • Community access: Lowers barriers for those unable to travel internationally.

Three local hubs at RIPE 92 showed how organizers in Bulgaria, Türkiye, and Poland brought the meeting experience closer to home. Virtual attendance sometimes limits spontaneous policy chats during hallway tracks, creating a potential gap in consensus building for complex routing proposals. Operators choose their mode based on whether broad knowledge transfer or deep diplomatic engagement is the goal. This approach helps teams maximize return on investment for travel while keeping the wider community informed.

Executing Presentation Submissions for RIPE 93 Plenary

Operators start the submission workflow by visiting the Call for Presentations portal before the 14 August 2026 deadline. This strict cutoff allows the program committee to curate a balanced agenda for the hybrid event in Sofia.

  • Select a preferred delivery mode: physical presence or virtual remote access.
  • Draft an abstract focusing on practical IPv4 optimization or routing security findings.
  • Submit the proposal through the official online registration interface.
  • Prepare backup plans for potential connectivity issues during remote slots.

The process accommodates diverse participation styles, allowing experts to share insights from any location while maintaining high technical standards. Remote speakers apply dedicated streaming setups to engage with the audience in real-time. Virtual presenters often face higher scrutiny regarding audio clarity and slide readability compared to their on-site peers. Technical glitches during a remote talk can alter the flow more severely than minor hiccups in a physical hall.

Feature In-Person Track Virtual Track
Networking Direct peering talks Chat room only
Setup Venue provided Self-managed
Visibility Main stage focus Screen share view

Community engagement thrives when members actively contribute operational experiences to the global dialogue. Successful proposals often highlight specific challenges in maintaining network availability amidst resource constraints. Engineers help the wider system navigate modern internet infrastructure complexities by sharing these real-world scenarios without relying on unverified assumptions.

Local Hub Durability Focus Versus Main Meeting Governance

The RIPE NCC Days Baltics meeting in Riga prioritized operational durability following repeated regional network disruptions. This specialized technical focus contrasts sharply with the broad organizational mandates decided at General Meetings. Local hubs allow engineers to troubleshoot specific infrastructure threats, while the main assembly determines fiscal policy and strategic direction through member voting.

Feature Local Hub Focus General Meeting Focus
Primary Goal Technical durability Organizational governance
Output Operational strategies Binding resolutions
Scope Regional challenges Global policy

Operators seeking to join these discussions often start by engaging with a local Network Operator Group (NOG). These communities provide the core support needed to understand complex routing security before attending substantial events. Participation in these groups is necessary for preparing effective contributions to broader policy debates.

A tension exists between immediate technical survival and long-term governance planning. The May 2026 General Meeting saw unusually high participation, resulting in one of the closest votes in recent years regarding fee structures and activity plans. Local groups handle daily outages, yet the main meeting dictates resources available for future stability. InterLIR advises network operators to balance attendance at both venues to ensure their practical IPv4 optimization needs align with evolving community standards. Ignoring either sphere leaves an organization vulnerable to both technical failures and unfavorable policy shifts.

About

Vladislava Shadrina, Customer Account Manager at InterLIR, is uniquely positioned to analyze the latest RIPE NCC member update regarding RPKI CA and IPv4 statistics. In her daily role managing client relations within the IP resource marketplace, she directly observes how Route Origin Authorizations (ROAs) impact the security and transferability of IP blocks for businesses globally. Her work involves guiding clients through the complexities of LIR account management and verifying IP quality, making the data on IPv4 Waiting List delays and address transfers immediately relevant to her strategic advice. As new Local Internet Registries face wait times exceeding a year, the cost of inaction shifts from simple exposure to active misalignment with community governance. Engineers cannot rely solely on local hub durability when global policy dictates the resources available for future stability. The current environment demands that organizations treat cryptographically verifiable attestations as a baseline operational requirement rather than an optional upgrade.

Organizations holding unvalidated legacy space must immediately submit validation data before their next scheduled transfer or peering expansion. Waiting for a crisis to trigger this process invites unnecessary risk during an era of tight fiscal scrutiny and close voting margins. Start this week by cross-referencing your current IP holdings against the allocation hierarchy to identify any gaps in your Route Origin Authorizations. This specific audit ensures your technical reality matches your legal standing before policy shifts alter the fee structures governing these assets. Balancing immediate outage response with long-term compliance protects your network from both technical failure and administrative obsolescence.

Frequently Asked Questions

Ignoring validation invites routing chaos as address scarcity becomes a hard constraint. Currently, only 76% of IPv4 space has protection, leaving significant room for hijacks.

IPv6 coverage lags significantly behind IPv4 adoption rates globally. While 76% of IPv4 space is protected, only 44% of IPv6 addresses currently utilize Route Origin Authorizations.

Policy ripe-847 mandates revocation for long-term non-functional delegated Certificate Authorities. This action reduces workloads for Relying Parties who must process fewer invalid or stale cryptographic attestations.

These deployment models serve different environments and are not interchangeable. Legacy IPv4 paths often possess stronger origin validation than newer IPv6 deployments require today.

The policy addresses the burden on Relying Parties processing stale data.

References