+## IPv4 addressing.
+##
+## There are two small blocks of publicly routable IPv4 addresses, and a
+## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
+## The former are as follows.
+##
+## 81.2.113.195, 81.187.238.128/28
+## House border network (dmz). We have all of these; the loose
+## address is for the router.
+##
+## 212.13.18.64/28
+## Jump colocated network (jump). .65--68 are used by Jump
+## network infrastructure; we get the rest.
+##
+## The latter is the block 172.29.196.0/22. Currently the low half is
+## unallocated (and may be returned to the G-RIN); the remaining addresses
+## are allocated as follows.
+##
+## 172.29.198.0/24 Untrusted networks.
+## .0/25 house wireless net
+## .128/28 iodine (IP-over-DNS) network
+## .144/28 hippotat (IP-over-HTTP) network
+## .160/27 untrusted virtual network
+##
+## 172.29.199.0/24 Trusted networks.
+## .0/25 house wired network
+## .128/27 mobile VPN hosts
+## .160/28 reserved, except .160/30 allocated for ITS
+## .176/28 internal colocated network
+## .192/27 house safe network
+## .224/27 anycast services
+
+## IPv6 addressing.
+##
+## There are five blocks of publicly routable IPv6 addresses, though some of
+## them aren't very interesting. The ranges are as follows.
+##
+## 2001:8b0:c92::/48
+## Main house range (aaisp). See below for allocation policy.
+## There is no explicit DMZ allocation (and no need for one).
+##
+## 2001:ba8:0:1d9::/64
+## Jump border network (jump): :1 is the router (supplied by
+## Jump); other addresses are ours.
+##
+## 2001:ba8:1d9::/48
+## Main colocated range. See below for allocation policy.
+##
+## Addresses in the /64 networks are simply allocated in ascending order.
+## The /48s are split into /64s by appending a 16-bit network number. The
+## top nibble of the network number classifies the network, as follows.
+##
+## axxx Virtual, untrusted
+## 8xxx Untrusted
+## 6xxx Virtual, safe
+## 4xxx Safe
+## 0xxx Unsafe, trusted
+##
+## These have been chosen so that network properties can be deduced by
+## inspecting bits of the network number:
+##
+## Bit 15 If set, the network is untrusted; otherwise it is trusted.
+## Bit 14 If set, the network is safe; otherwise it is unsafe.
+##
+## Finally, the low-order nibbles identify the site.
+##
+## 0 No specific site: mobile VPN endpoints or anycast addresses.
+## 1 House.
+## 2 Jump colocation.
+## fff Local border network.
+##
+## Usually site-0 networks are allocated from the Jump range to improve
+## expected performance from/to external sites which don't engage in our
+## dynamic routing protocols.
+