AFRINIC is the Regional Internet Registry (RIR) for Africa: a nonprofit, nongovernmental Internet governance organization. Like RIPE, ARIN, APNIC and LACNIC, it operates a registry for unique internet protocol (IP) numbers that serve as network addresses. The registry records which organizations hold rights to which IP address blocks on that continent, and it also operates processes for members that set policies governing the allocation and assignment of IP addresses. AFRINIC was the last RIR to be created and came late to the Internet party. It has only ever held about 2% of the IPv4 address space. Compare that to the 40% that was distributed directly to organizations (mostly in North America) prior to the existence of RIRs; the 17% in Asia-Pacific; the 14% in Europe and North America, and the 3.5% in Latin America.
On July 13. AFRINIC’s bank accounts were provisionally frozen by court order, crippling its operations. The Supreme Court of Mauritius ordered up to $50 million USD in the RIR’s bank accounts frozen as a result of a contractual dispute with Cloud Innovation, a member organization that has been the recipient of rights to millions of IPv4 numbers from AFRINIC. The result is a crisis that threatens the viability of one of the Internet’s regional registries.
AFRINIC has been at the center of a number of organizational controversies in the past five years. For some, it is hard not to see its current legal travails as yet another demonstration of the organization’s corruption and incompetence. But in fact, this crisis was caused by its attempt to clean up its act. If AFRINIC is guilty of anything in this case, it is an overly aggressive assertion of policy righteousness based on bad policy ideas, which blew up in its face. This report lays out the facts and analyzes the situation.
TL;DR here is the conclusion we ultimately reach:
AFRINIC’s attack on Cloud Innovation was an overreaction to its past problems and was undertaken without appropriate risk management. While it may have a case, the principle it is fighting for – that usage of the numbers it hands out must be confined to the African region – is based on false premises. AFRINIC numbers are a drop in the bucket compared to what Africa will need to develop.
Cloud Innovation, faced with an existential threat to its business, also over-reacted with what can only be called legal terrorism. Its lawyers’ moves were designed to destroy AFRINIC rather than to preserve its legitimate business interests in a contractual dispute.
The performance of the Mauritius Supreme Court so far was less than optimal, too; it allowed crippling sanctions to be put in place before it heard any detailed evidence. It was right to order injunctions to maintain the status quo, but the bank account freeze is questionable.
The breakdown has led some in the region to call for unspecified forms of government intervention. This means political action, not courts and law. If heeded, political interventions will lengthen the dispute and make the situation even more chaotic. A resolution involving a governmental takeover of the RIR would require either national legislation (creating jurisdictional problems) or intergovernmental treaties, which would take years and is unlikely to result in agreement.
At the end of this piece we describe what must happen next to resolve this situation.
Economic and structural causes
The Internet Protocol version 4 (IPv4) standard allows for only about 3.7 billion unique numbers generally available for connecting devices to the Internet. Its capacity can no longer accommodate the growing number of networks and devices. The Internet’s standards development organization came up with IPv6, a new network protocol with a much larger address space, to solve this problem back in the late 1990s. IPv6 suffered from a fatal flaw, however: it was not backwards compatible with the older standard. So if you want a globally compatible internet, you have to run both protocols until practically everyone else runs IPv6 too. This means that as the Internet grows, the demand for more IPv4 numbers does not go away. But where does one find more numbers? The simple answer is that one must buy the rights to them from someone who already has them, in what is known as the transfer market. As a result of this market, we know the value of IP addresses and can more efficiently conserve and allocate them. People who don’t need them sell them; people who need them are buyers. The price of IPv4 numbers in the transfer market has gone from about $8/individual address in 2017 to $30/individual address now. That means that the rights to a “/16” address block of 64,000 numbers, considered the building block of larger organizational networks, could be worth about US$2 million.
Long before this rise in the economic value of IPv4 addresses, the Internet community allocated four “/8” address blocks – each with 16.7 million individual IP addresses – to AFRINIC. From the beginning of 2015 until March of 2017, AFRINIC was the only region in the world with a large pool of previously unoccupied IPv4 numbers that could be given out to its members for nominal administrative fees. There was, therefore, a huge disparity between the global market value of AFRINIC’s IPv4 numbers, and the low price available to AFRINIC members. This created an arbitrage opportunity. Nothing about this controversy makes sense unless these two basic economic factors are understood: 1) the rising value of IPv4 numbers, and 2) the Internet community’s attempt to erect a regional border around a part of the IPv4 address pool (Africa’s) that would be given out at fees well below their market value.
The arbitrageur
Heng Lu is a Chinese entrepreneur who has participated in the IP address market in multiple regions. For a while he benefited from RIPE’s liberal policies, which allowed any member to get blocks of 1024 IPv4 numbers merely by joining RIPE. They could then use the address resources without any geographic restriction. But in AFRINIC, Lu found a much larger pool of available addresses. He registered his Cloud Innovation company in the Seychelles, an African country, and acquired nearly 7 million IP address assignments from AFRINIC some time in 2016. He now pays AFRINIC about $10,000 a year in registry fees, and leases these numbers out to customers for $2 – $3 per address per year. Some of his customers are in Africa but it appears that most of them are in China. There are reports that he leverages the high switching costs of network addressing by raising the lease price of the IP addresses by 15 – 20% each year. So, do the math: 7 million numbers leased at just $2/year can generate upwards of $14 million in revenue, but the cost of obtaining and maintaining those number resources is only about $10k per year.
The great IPv4 address heists
The gap between the value of IPv4 addresses and AFRINIC’s underutilization of them already caused the organization great trouble in the recent past. In 2019, an investigation and expose by anti-spam activist Ron Guilmette proved that a longstanding staff member of AFRINIC and friend of its CEO, Ernest Byaruhanga, was manipulating records to gain control of IPv4 addresses using dubious shell companies or businesses that were no longer in existence. Guilmette estimated the market value of the acquired IPv4 addresses to be more than USD $50 million. He, along with some journalists in South Africa, found multiple cases of companies linked to Byaruhanga and his immediate family members that were involved in secretly selling AFRINIC IP address blocks for personal profit. Byaruhanga was fired soon after these allegations surfaced, and the matter was referred to the Mauritius authorities.
ARIN, the RIR issuing number blocks in the North American region, also had a problem with criminal activity, likely driven by their low cost for issuing IPv4 blocks relative to the high market value. A man named Amir Golestan and his company, Micfo, obtained the rights to approximately 757,760 IP addresses with a market value around $10 million by creating a large number of fake company registrations, with false officers and fake websites. These fake companies were used to establish claims to IP address rights from ARIN policies designed to ration out addresses at below market price to companies in its region. In a well-publicized lawsuit, ARIN succeeded in reclaiming the IP numbers, and Golestan was criminally prosecuted. These cases of criminal misappropriation likely set the tone for what AFRINIC did next.
Zealous Overcompensation
An overzealous attempt to clean up its act is what led to the current predicament. AFRINIC has a new CEO, Eddy Kayihura, who by all accounts is honest and trying to set the registry back on the right track. Due in part to pressure from Guilmette and other Internet community people – who started by targeting spammers but ended up focusing on out of region use for legitimate purposes – it decided to crack down. After the scandal, AFRINIC performed a comprehensive audit of its address registrations, looking for examples of what it considered misuse. As this self-review process concluded, they decided to target Heng Lu, based on his well-known business of leasing addresses to out of region customers. AFRINIC asked relatively nicely at first. A letter highlighting AFRINIC’s view that Cloud Innovation had committed a policy violation was sent on June 23, 2020. It stated the following three primary concerns and asked for CI to respond with comments and justifications:
Policy and Agreement violation by Cloud Innovation. AFRINIC observed “discrepancy between the descriptions of the registered usage of the IP Number Resources and the countries where these resources are actually being used.”
Inconsistency between “needs of usage” expressed in the agreement and the actual purpose of utilisation.
Violation of Section (6) of the AFRINIC Bylaws which states that members should “originate services within the defined region” in the AFRINIC service region.
In conveying this letter, AFRINIC asserted that any changes an IP address holder makes in its service requires AFRINIC’s approval and is subject to a re-justification of the allocation. AFRINIC sought additional information from Cloud Innovation to review its usage of the IP address blocks.
Cloud Innovation contested the charges in a July 13 letter. Then the conflict fell dormant for eight months. On 10 March 2021, AFRINIC responded, reasserting its accusations. It gave CI a month to submit a “change request” that would provide detailed information about how they were using the IPv4 addresses, including the provided services and country of service origin. They also inquired about the planned utilisation of their remaining IPv4 addresses. In this letter, AFRINIC issued a threat. It claimed that it could “in its sole discretion” determine whether to terminate Cloud Innovation’s Registration Service Agreement (RSA) and reclaim the IPv4 Number Resources allocated to it. Heng Lu’s company knew that this was an existential threat to its business. Reclaiming the addresses would cut off the internet service of thousands of its customers and destroy the lucrative revenue stream he had built around the address blocks. AFRINIC’s letter stressed that “AFRINIC shall not be held liable for any loss or damage of whatever nature arising out of the present notice or any action that AFRINIC may take in accordance thereof.”
In a public response, Cloud Innovation rejected AFRINIC’s proposals as excessive and arbitrary. It contended that it was unreasonable to ask address holders to return and re-justify their allocation any time there was a change in its usage. ISPs change the addresses assigned to different businesses all the time. Asking the RIR for approval every time an ISP’s address configuration changes would make the RIR into a Soviet central planner for African Internet access and subject AFRINIC’s contracted parties to burdensome and costly regulation. Cloud Innovation also mounted a strong argument against AFRINIC’s claim that IP addresses cannot be used out of region. It noted that the regional restrictions for the use of IP addresses only covers space issued after March 2017, when the AFRINIC’s “soft landing” policy went into effect. Cloud Innovation also objected to the fact that AFRINIC was asking it to provide information on how its customers were using their IP addresses, which it deemed intrusive and unwarranted. In response to AFRINIC’s claim that Section 6 of its RSA prohibited out of region use, it responded “Section 6 of the bylaws only states what type of membership each entity qualifies for and the requirements of said membership, nothing about IP usage.” CI summed up its claim by making a direct pitch to various email lists of RIRs:
“We are hoping the global community can realise and act together, to right this wrong. If you are part of AFRINIC’s resource membership, please speak out and express your need for:
The freedom to run your network as you see fit;
The ability to protect the internet connectivity of your users.
The ability to disclose only that data which is necessary for the legitimate administrative purposes of the registry.”
Cloud Innovation did, however, agree to the AFRINIC RSA, in which recipients acknowledge “that it is bestowed with an exclusive right of use of those number resources within the ambit of the ‘need’ which it has justified in its application and for no other purpose during the currency of the present agreement.” AFRINIC may, therefore, be within its rights holding Cloud Innovation to usage of the IP address blocks solely for the purposes given to obtain them. But that same provision could justify action against every AFRINIC address block holder, as service providers do evolve their usage over time. Unlike ARIN, AFRINIC has no clear community policy specifying how often resource reviews may be done. Widespread enforcement of this part of the AFRINIC RSA would create great concern in the Internet community given the lack of community policy and the resulting threat that it could pose to many AFRINIC members.
AFRINIC probably thought that its aggressive action was justified by the ARIN case against Micfo. Its remedy – the reclamation of all addresses and hence the destruction of CI’s business – appears to have assumed that Cloud Innovation was guilty of the same sort of criminal misappropriation. The difference, however, was that Micfo committed outright fraud. Cloud Innovation, in contrast, was only accused of violating a policy, a policy whose meaning was debatable and whose enforcement was highly selective and potentially applicable to many others.
CI took the case to the court in Mauritius and on April 7, 2021 successfully obtained an interim injunction to prevent the termination of its services. But on July 7, 2021, the injunction was lifted on the basis of a preliminary objection. According to CI, it was “a mere legal technicality, which was partially caused by the inability to provide a power of attorney to [the] lawyers in Mauritius during a total lockdown,” since AFRINIC released the letter on the first day of the COVID lockdown. AFRINIC acted immediately to take advantage of the removal of the injunction. The next day, it issued a public announcement that it was terminating Cloud Innovation’s Membership and freezing its addresses for 90 days to allow Cloud Innovation to move customers off them prior to reclamation.
The bank freeze
On July 13, 2021, Cloud Innovation approached the court of Mauritius again to seek urgent relief in another lawsuit against AFRINIC. The Supreme Court of Mauritius issued an interim order in favor of CI which prevented AFRINIC from reclaiming its IP addresses. But it didn’t stop there. Cloud Innovation claimed that it had suffered reputational damages of $1.8 billion, and convinced the court that AFRINIC’s bank account needed to be frozen to ensure that it did not spend or hide the funds which might be used to compensate it. So on July 23, 2021, the Supreme Court of Mauritius provisionally froze up to US$ 50 million AFRINIC’s funds held at SBM Bank Ltd (Mauritius) and Mauritius Commercial Bank.
There are now a total 11 court cases in the court of Mauritius involving CI Ltd and AFRINIC, most of them punitive actions mounted by Cloud Innovation. We are yet to see how it unfolds but the matter raises several questions worth probing into. Foremost of them being the future relevance of AFRINIC and RIRs. If AFRINIC doesn’t come through, how will the IP number resources in the region then devolve? Will the assets be divided among shareholders – and who are they? And what will happen to the unallocated reserved IP addresses? The state of stability and fairness of the Mauritius Justice system also comes into question. It is unclear as to why the Supreme Court of Mauritius would freeze all the assets of AFRINIC based on assertions of reputational damage still to be proven in court, given the threat to AFRINIC’s day to day operations..AFRINIC is not a flight risk, so even if it ultimately loses in court and an award was made its assets could be garnished. The order is affecting the operations of thousands of other service providers that AFRINIC is responsible for. AFRINIC has yet not had an opportunity to respond to this and is awaiting relevant information stating CI’s claims. According to one of the recent statements, it is preparing to exercise the legal rights available to it to oppose the cases before the court.
The way out
Neither pointing the finger at AFRINIC and its past problems, nor decrying Lu Heng as a profiteer helps anything at this point. The situation has gotten out of hand and this is what needs to happen:
Before anything else, Cloud Innovation must back off of its excessive legal measures. All of its punitive lawsuits (one of which accuses AFRINIC’s CEO of defamation for making a video describing the situation to AFRINIC members, and another which attempts to throw the AFRINIC board in jail), should be withdrawn. It should return to its demand for a simple injunction against the reclamation of its address resources while the contractual dispute is being heard. It may win the case, and can continue operating in the interim. Cloud Innovation must also come to its senses and realize that its actions directly endangers the value of the very IP address blocks they are trying to protect, as there is already discussion in the ISP community of ceasing routing of the IP address blocks given their excessive methods.
Once Cloud Innovation ends the legal arms race, AFRINIC must back off of its excessive demands for reclaiming all of Cloud Innovation’s address resources and make its claim of a policy violation clear and its proposed remedies more proportionate. AFRINIC should also place clear constraints on its usage of resource review so that its members do not have to live with a veritable Sword of Damocles hanging over their rights to their IP address blocks in perpetuity. In line with this, AFRINIC needs to learn how to better manage legal risk: if they are going to engage in or threaten revocation, they are going to be sued, and they need to be prepared for that and be more cautious in their use of that remedy.
Whether Cloud Innovation violated the letter or spirit of the contracts, or whether AFRINIC misread its own policies and acted in an excessive and discriminatory manner, is for the court to decide.
AFRINIC needs to come to its senses and accept the global nature of the IP address space and the existence of a market for IP transfers numbers. Its claims that any change in utilization requires a new needs assessment, and that it must review all the uses of customers as well as the uses of the contracting party, is overly burdensome and interferes with the ability of Internet service providers to respond to market conditions. AFRINIC also needs to back off from the futile idea that the numbers it allocates cannot be used outside its region, otherwise it will continue to nurture arbitrage efforts and the potential for corruption.
As we await resolution of the court case, we all need to keep the dispute in perspective. The future of Africa’s internet development will not be greatly affected by reserving IPv4 addresses to regional use. The growth of Africa’s internet to its full potential – the continent’s population is the same as China’s, exceeds all of Europe, and is twice the size of North America’s – cannot be sustained by the remaining address resources of AFRINIC. Growth will only be possible if it imports large numbers of IPv4 addresses from the market, and/or relies more on IPv6 addresses. The tiny leftover portion of the IPv4 address space that AFRINIC controls is not going to sustain the kind of growth that is needed. This is a fight over crumbs. The collateral damage from this fight is not proportionate to the value of the stakes.
The post A Fight Over Crumbs: The AFRINIC crisis appeared first on Internet Governance Project.
Source: Internet Governance Forum