HSCN Internet Protocol (IP) addressing policy

The Health and Social Care Network (HSCN) programme delivers new and significantly different network services for health and social care. The HSCN creates the effect of a single network across health and social care providers and their partners. All health and social care organisations (in England) are within scope of the HSCN solution, which supports greater integration of care delivery.

This HSCN Internet Protocol (IP) addressing policy defines the legitimate addressing schemes and the working principles for their use within the HSCN, to ensure continued access to national applications and to provide a solid infrastructure for IP networking in health and social care. The policy statements set out in this document are necessary to support the business needs of health and social care and, in parallel, to ensure that the structure and frameworks are in place for a seamless transition to the Cloud/Internet environment.

The HSCN IP addressing policy applies to all direct connections to the HSCN from organisations of all types, such as NHS, social care, and third party organisations such as application providers.

Further guidance on the use of key protocols and methods, such as Network address Translation (NAT), Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP), and their use on HSCN, can be found in the HSCN IP Addressing Good Practice Guidelines.

Address schemes

NHS Digital recognises that existing connectivity and services use a number of different addressing schemes and that a mandatory move towards a public address scheme in the short term is unachievable for many organisations due to cost, impact on existing services, timescales, and other factors.

The sections below describe the supported and non-compliant IP address schemes for HSCN.

Supported IP address schemes

Public IP addresses assigned to:

• the connecting organisation by RIPE NCC may be used for new and migrated connections to the HSCN
• NHS Digital by RIPE NCC and allocated to the HSCN consumer for new connections to HSCN
• NHS Digital by RIPE NCC and allocated to the consumer by NHS Digital or predecessor organisation prior to connection to the HSCN
• the CN-SP by RIPE NCC and allocated to the consumer for connection to the HSCN

Subnets from the RFC1918 Private IP Address Space adopted for the NHS and allocated by the predecessor network provider for connectivity and to advertise hosted services on the predecessor network may be maintained until the HSCN consumer is in a position to move to a public address scheme. These subnets were/are allocated from:

• centrally allocated subnets from the 10.0.0.0/8 'NHS private address space'
• centrally allocated subnets from the 172.17.0.0 - 172.31.255.255 'NHS private address space'

Non-compliant IP addresses

IP address types and ranges deemed non-compliant with this Policy will not be routed across the HSCN. These are:

• addresses and subnets from the RFC1918 private address space 192.168.0.0/16
• addresses and ranges from the RFC1918 private address space previously adopted as ‘NHS private address space’ (10.0.0.0/8 and 172.17.0.0 to 172.31.255.255) that have been deployed independently (meaning - not allocated by the predecessor network service provider)
• 'illegal' public addresses - addresses not assigned to a consumer by an official organisation or, assigned to NHS Digital or a CN-SP and allocated to the consumer

NHS Digital is not responsible for any instances of litigation against organisations that knowingly or otherwise route ‘illegal’ IP addresses to the Internet.

HSCN IP addressing and Internet First

Internet First means that externally accessible health and social care digital services must be securely accessible over the public internet by default rather than the Health and Social Care Network. One of the requirements to achieve this is for health and social care organisations to have sufficiently scaled and functional Internet connectivity to support the needs of the organisation in consuming and where applicable providing internet hosted services.

HSCN consumers should review the policy and guidance for Internet First when choosing an option from the list of IP address schemes defined in this Policy.

The IP address schemes supported by HSCN allow consumers to maintain legacy private address schemes where required, and also support and encourage the use of public addressing for connectivity and the provision of systems and services. Some of the IP address schemes supported by HSCN may need to be reconfigured or replaced to support transition of a consumer site from the HSCN to the internet.

Network Address Translation

The HSCN supports Network Address Translation (NAT) at the point of connection. This facilitates the allocation and use of RIPE assigned addresses at all connection points to the HSCN and to allow organisations to maintain existing internal addressing. Refer to the HSCN IP Addressing Good Practice Guidelines document for guidance on the use of NAT and other protocols and methods within HSCN.

Use of NHS Digital RIPE addresses on the internet

RIPE addresses assigned to NHS Digital (or a predecessor organisation) and already allocated to HSCN consumers may be used to advertise services on the internet. This is subject to NHS Digital approval and the business rules and caveats set out below.

1. Subnets must be a minimum of a /24. All contiguous IP addresses within the /24 range (or larger if approved) must be reserved for Internet use only to prevent IP address fragmentation.
2. Subnets must be RIPE assigned to NHS Digital (or a predecessor organisation) and allocated to consumers prior to 2019.
3. NHS Digital RIPE assigned subnets allocated only to health and social care organisations and National applications may be used for this purpose.
4. Subnets approved for this purpose must not be routed on the HSCN. Consumers accept the risk of loss of access to systems or services affected due to misconfiguration.
5. NHS Digital assigned RIPE subnets allocated as part of connecting to HSCN cannot currently be used for this purpose.
6. NHS Digital RIPE assigned subnets allocated to commercial third-party organisations may not be used for this purpose.
7. Organisations must ensure that information on the RIPE database relating to the relevant subnet is up to date. Details of any changes required should be sent to the NHS Digital IPAM Team at [email protected]. 
8. Subnets approved for this purpose remain RIPE assigned to NHS Digital therefore NHS Digital reserves the right to remove relevant RIPE objects in the event of misuse or breach of this Policy.

Return of unused allocations of NHS Digital RIPE addresses

A substantial amount of RIPE address space assigned to NHS Digital is still allocated to a number of public and private sector organisations. It is essential that any NHS Digital assigned RIPE address space that is not in use, no longer required, or in use on private networks, should be identified and returned to NHS Digital. Organisations may return NHS Digital owned RIPE addresses by emailing the IPAM team at [email protected].

NHS Digital will actively pursue the return of allocated registered RIPE address space. This activity will be managed by the NHS Digital HSCN IPAM function.

NHS Digital IP address allocations for HSCN hosted cloud services

Commercial third-party suppliers who wish to set up HSCN hosted cloud services and require an allocation of NHS Digital RIPE assigned addresses should contact the NHS Digital IPAM team at [email protected] to discuss requirements.

The NHS Digital IPAM team will provide an allocation of RIPE addresses of the size required, typically up to a /28. Cloud providers should provide detailed requirements including the subnet size needed.

Authorisation and allocation process

NHS Digital manages and administers the HSCN IP Addressing Policy and the IP Address Management (IPAM) function. The IPAM function manages the allocation and return of subnets from the HSCN IP address space.

View the HSCN IP Address Authorisation and Allocation process

Requests for additional HSCN RIPE addresses

Health and social care organisations that connect to the HSCN and adopt an HSCN allocated RIPE address and NAT at the point of connection, may apply for an additional allocation of HSCN RIPE addresses. This may be, for example, to advertise hosted services that cannot currently be configured to work with NAT. Requests for additional HSCN RIPE addresses are managed via the IP authorisation and allocation request process.

It is important to note that the pool of HSCN RIPE addresses is a limited resource, therefore requests will be carefully scrutinised and allocations rigorously controlled. NHS Digital does not preclude the use of RIPE ranges already owned by the connecting organisation, or organisations obtaining additional subnet assignments from RIPE.

Given that the HSCN RIPE address pool is a finite resource, requests for additional RIPE addresses from health and social care organisations will be prioritised. Therefore, commercial third-party supplier organisations that need to advertise services across the HSCN are advised to use locally owned RIPE assigned addresses or obtain additional subnets from RIPE NCC.

Approval to use NHS Digital RIPE addresses on the internet

The use of NHS Digital assigned RIPE addresses on the Internet must be approved by the NHS Digital IPAM Team. Consumers wishing to do this must send a request to the IPAM Team at [email protected].

Further information and enquiries

For further information and enquiries please email the HSCN IPAM team at [email protected].