APNIC began its planned delegation audits across the APNIC registry and NIRs as part of its efforts to ensure registry accuracy.
Those audits commenced at the end of 2023 with a preliminary investigation into IPv4 delegations made by IRINN (Indian Registry for Internet Names and Numbers) after APNIC received an anonymous report from a community member. That investigation uncovered suspicious delegations that have since been revoked by IRINN.
Using the methodology employed in the IRINN case, an audit of IDNIC (Indonesia Network Information Centre) delegations commenced to see if any similar issues existed. IDNIC was selected given the high volume of IPv4 registrations made in the past five years. APNIC’s audit of IDNIC has, to date, identified approximately 1,200 delegations that share a variety of common elements, which require further investigation.
APJII announced yesterday it has appointed an independent legal firm to investigate the legitimacy of these suspicious delegations, with the intention of ensuring policy compliance, and where necessary, recovering address space obtained outside of policy. IDNIC is a division of APJII, the Association of Indonesian Internet Service Providers.
APNIC has zero tolerance for the misallocation of resources in its registry or those of NIRs operating in the region. Trust and accuracy is critical to the operation of a registry. All number resource delegations and transfers must be made in strict adherence to community-developed policies.
APNIC is committing dedicated resources to assist in the audits of all NIRs (and APNIC’s own registry) and is taking steps to strengthen policy compliance to ensure the ongoing integrity of the registries.
It is important to note that APNIC’s identification of delegations that contain questionable common elements are preliminary findings only. They should not be taken to infer that the delegations are fraudulent or that there has been any improper actions taken by NIR members or registry staff.
IRINN
Following an anonymous report from the community in October 2023, APNIC’s investigation found that 51 delegations made by IRINN in 2022 were questionable in nature. After sharing these findings with the then incoming CEO of IRINN, Dr. Devesh Tyagi, further investigation by IRINN confirmed 44 delegations did not meet policy guidelines and were recovered.
You can read more about the results of that specific investigation, and the actions taken by IRINN, in their announcement.
IDNIC
Between May and October 2024, APNIC reviewed all allocations of Internet number resources made by IDNIC to its members during the period between 1 January 2019 and 19 April 2024, a total of 2,974 allocations.
Of these allocations, 1,216 IPv4 delegations were identified as containing several common datapoints across both registry and third-party datasets, which indicated these allocations may be questionable in nature.
A ‘second opinion’ process — meaning all allocations and transfers by IDNIC need to be checked and approved by APNIC — was put in place in July by APNIC while the audit progressed, to ensure all allocations satisfy community-developed policies.
The findings of the audit have been presented to APJII for further investigation using IDNIC registry and account data (which is not accessible to APNIC) to identify which of the questionable allocations are in breach of policy and which are legitimate. APJII has appointed a law firm, Romulo Silaen & Partners, to complete this work, and you can read more about actions taken by APJII and IDNIC in their announcement.
APNIC actions
APNIC would like to thank IRINN and APJII for their cooperation and actions taken to date, particularly Dr. Devesh Tyagi (CEO of NIXI) and Muhammad Arif (Chairman of APJII).
APNIC will continue progressing the full, planned audits across delegations and transfers made by APNIC and all NIRs. This will include expanding the previous investigations at both IRINN and IDNIC to include a longer time period of 10 years and applying the same rigour to all other NIRs and APNIC’s own registry.
It is estimated that the series of audits will take at least 12 months to complete.
Over the coming months, APNIC also plans to:
- Conduct a detailed review of APNIC’s resource delegation processes, workflows and team structures to identify any areas where policy compliance can be strengthened further.
- Begin planned Member registration accuracy checks as an ongoing process. APNIC staff will proactively assist Members to ensure their registry data is accurate.
- Provide active, ongoing support for NIR policy compliance and providing additional training where necessary.
- Implement additional policy compliance spot checks to all new APNIC resource delegations.
- Evaluate automated fraud identification tools to bolster regular audit processes.
- Review the NIR agreement between APNIC and NIRs to identify any areas requiring greater clarity or improvement.
Reporting to the community
Given the importance of this issue, APNIC will be reporting regularly to the community on the progress of the audits.
Quarterly updates will be published on the APNIC Blog and regular reports will be provided to the APNIC Executive Council. APNIC will also report on the progress of the audits, and any required remediation, during the APNIC Annual General Meeting and APNIC Member Meeting at its conferences.
Any further discoveries of significance will be communicated outside of this cycle to ensure Members and the community remain informed.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.