This page describes the three types of IPv4 and IPv6 address ranges used on the University Data Network (UDN) for connecting the University, Colleges and other affiliated organisations, including:
- Global (public) addresses - ranges routed directly between the UDN and the public internet.
- UDN-local (private) addresses - are routed around the UDN, but SNATed to global addresses, when exiting onto Janet and the public internet.
- Institution-local (private) addresses - ranges reserved for private use within an institution.
If you have specific queries about this list, or how it should be interpreted, please contact UIS Networks with your requirement. In particular, see the note below regarding IP address-based access control (e.g. for e-journals or other protected resources).
Global (public) IP addresses
The following is a list of global IP prefixes (address ranges) used by the University and affiliated institutions on the UDN when they make connections out onto the public internet. Hosts with addresses in these prefixes can make direct inbound and outbound connections without being subject to translation (although note that the UDN Network Address Translation [NAT] Service uses these for the "outside" of the NAT).
Globally-routable addresses are useful for running services which much be reachable inbound across the public internet; private addresses (below) are recommended for client devices, which only need to make outbound connections. Global addresses may also be suitable for hosts which, although are only clients, have high bandwidth demands.
| Protocol | Prefix | Managing authority | Status |
|---|---|---|---|
| IPv4 | 128.232.0.0/16 | Department of Computer Science and Technology (128.232.0.0/17) | Inside |
| UIS Networks (128.232.128.0/17) | |||
| 129.169.0.0/16 | Department of Engineering | ||
| 131.111.0.0/16 | UIS Networks | ||
| 192.18.195.0/24 | MRC - Cognition and Brain Sciences Unit (MRC CBU)* | ||
| 193.60.80.0/20 | UIS Networks | ||
| 193.63.252.0/23 | MRC - Cognition and Brain Sciences Unit (MRC CBU)* | ||
| 192.84.5.0/24 | UIS Networks | Outside | |
| 192.153.213.0/24 | UIS Networks | ||
| IPv6 | 2001:630:210::/44** | UIS Networks | Inside |
| 2a05:b400::/32** |
* These ranges are used exclusively by Medical Research Council units but, as stated above, the MRC also uses some addresses in other ranges above.
** The University is migrating its IPv6 prefix from the 2001:630:210::/44 block to 2a05:b400::/32.
Address blocks in the global ranges are allocated by the managing authority shown above. Hosts must be registered in the University IP database (or the appropriate institution) with hostnames ending in inst.cam.ac.uk.
The two IPv4 "outside" blocks are ones which are earmarked for use by connections which should be regarded as "outside" the University (such as web search spidering systems).
UDN-local (private) addresses
Within the UDN, some IPv4 addresses are used to alleviate the shortage in availability of globally-routable addresses, typically those allocated for private internets (RFC1918) and shared address space (RFC6598). These addresses are known as UDN-local (formerly UDN-wide private) addresses and have the following properties:
- Within the UDN, these addresses are routed between institutions, without needing translation, and function equivalently to public addresses.
- When connections are made to hosts outside the UDN, the source address is translated to an address in the UDN global ranges by the Network Address Translation (NAT) service. To the internal host, they appear to have normal outbound connectivity to the internet, without the need for any special configuration, such as proxy servers.
- Direct inbound connections to hosts on these addresses is not possible because they do not have globally-routable addresses of their own. Firewalls, routers or reverse proxy servers can be configured to provide a DNAT (Destination NAT) or proxy to permit this, if required.
These properties make UDN-local addresses ideal for client-only devices, such as end-user devices) or servers which only need to be accessed from inside the UDN, including those on the University Wireless Service (e.g. eduroam).
The prefixes currently in use are:
| Prefix | Comments / use |
|---|---|
| 10.128.0.0/9 | Institutional allocations |
| 100.64.0.0/10 | Internal use by the UIS |
| 172.16.0.0/13 | Institutional allocations |
| 172.24.0.0/14 | |
| 172.28.0.0/15 | |
| 172.30.0.0/16 | Internal use by the UIS |
Note the 172.x.x.x ranges amount to all of the RFC1918 block 172.16.0.0/12 except 172.31.0.0/16, or alternatively, all addresses from 172.16.0.0 to 172.30.255.255 inclusive.
Address blocks in the UDN-local ranges are allocated by UIS Networks; hosts must be registered in the IP Register database with hostnames ending in inst.private.cam.ac.uk.
Institutions using RFC1918 addresses purely for internal use should choose addresses from the institution-local ranges, rather than ones in the above list, to avoid clashes, resulting in difficulty reaching other hosts on the UDN.
For IPv6, the UDN does not currently make use of private (ULA - Unique Local Addresses; RFC4193) as it is felt that there is sufficient capacity in the public ranges for use by internal services. This policy may be changed in future, if the situation changes.
Institution-local (private) addresses
Some RFC1918 addresses are reserved for use internally by institutions - these are known as institution-local (formerly institution private) addresses. These ranges will never be used by the UDN and are safe to use for purely internal purposes. As they are not routed by the UDN, they must be SNATd before they leave the institutional network and exit onto it, if traffic from them is to be routed outside; to avoid double-NAT this must be to a global IP address.
| Prefix |
|---|
| 10.0.0.0/9 |
| 172.31.0.0/16 |
| 192.168.0.0/16 |
Note that the 10.0.0.0/9 range only includes the lower half of the RFC1918 10.0.0.0/8 block: 10.128.0.0/9 is assigned as UDN-local addresses.
Institutions are free to allocate and use addresses in this range without needing to notify UIS Networks. It is recommended that hosts in the institution-local range are allocated hostnames in a local, private DNS with a domain ending private.inst.cam.ac.uk (note the transposition of 'private' and 'inst', compared with UDN-local addresses).
It is strongly recommended that institutions do NOT use institution-local addresses for networks which require connectivity to the wider UDN or internet as this can present problems accessing some services within the UDN where NAT is not supported. It also prevents the address being registered in the University DNS and reduces the visibility of CSIRT and the UIS in general to track individual hosts accessing the network (which can make a problematic host difficult to identify and result in a wider than necessary block being put in place). UDN-local addresses are normally available in plentiful supply.
Customers of the Managed Firewall Service can be adopted with support for institution-local ranges but a transition to UDN-local addresses will typically be expected over a period of time, for these reasons.
Note when using IP address-based access control
It is important to note that hosts using UDN addresses do not necessarily belong to, and/or are used by a member of, the University nor one of its Constituent Colleges. For example, note that the following users are all connected to the network and may use any of the addresses in the above blocks may be used by:
- Academic visitors - e.g. eduroam visitors, visiting staff on college or departmental connections.
- Non-academic visitors.
- Temporary contractors.
- Institutions who are associated with the University and have been provided with a connection to the University network, and on through Janet, but are not legally part of the University (such as MRC units, Theological institutions, affiliated organisations)
In addition to this, the addresses used on the network may change, be added to or relinquished. Also, users are making increasing use of connections which will be outside the UDN (such as via domestic or mobile technologies).
It is strongly recommended that IP addresses are NOT used as a method of access control to internal or external services. Unentitled visitors or associate users may be permitted and entitled users on different addresses may be denied access incorrectly.
Last updated: 9th May 2024