Download the HSCN Internet Protocol (IP) addressing policy
The Health and Social Care Network (HSCN) programme delivers new and significantly different network services for health and social care as part of its remit to provide successor services to the current N3 network. The HSCN creates the effect of a single network across health and social care providers and their partners. All health and social care organisations (in England) are within scope of the HSCN solution, which supports greater integration of care delivery.
This HSCN Internet Protocol (IP) addressing policy defines the legitimate addressing schemes and the working principles for their use, to support the smooth transition to the HSCN, ensure continued access to Transition Network (TN) services (such as national applications), and to provide a solid infrastructure for IP networking in health and social care. This policy statements set out in this document are necessary to underpin the transition to the HSCN in support of the business needs of health and social care.
The policy statements:
- underpin the transition to the HSCN, which will help health and social care services deliver better, safer and more efficient care
- ensure that the structures and frameworks are in place for a seamless transition to digital service provision via the internet and cloud
The HSCN IP addressing policy applies to all direct connections to the HSCN from organisations of all types, such as NHS, social care, and third party organisations such as application providers.
For further guidance on IP addressing for end-site migration from the TN to the HSCN please read the "HSCN IP Addressing Guidance for Transition". Additional guidance on the use of key protocols and methods, such as Network address Translation (NAT) Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP) and their use on HSCN can be found in the "HSCN IP Addressing Good Practice Guidelines".
2. The HSCN IP addressing policy
NHS Digital recognises that existing connectivity and services use a number of different addressing schemes and that a mandatory move towards a public address scheme in the short term is unachievable for many organisations due to cost, impact on existing services, timescales, and other factors.
The sections below describe the supported and non-compliant IP address schemes for HSCN.
Supported IP address schemes
New and migrated connections to the HSCN may use public IP addresses assigned to:
- the connecting organisation by RIPE NCC (the organisation responsible for the distribution and management of IP addresses)
- NHS Digital by RIPE NCC and allocated to the HSCN consumer
- NHS Digital by RIPE NCC and allocated to the consumer by NHS Digital or predecessor organisation prior to connection or migration to the HSCN
- the CN-SP by RIPE NCC and allocated to the consumer for connection or migration to the HSCN
HSCN registered RIPE allocations will typically comprise of either a /29 or /30 subnet per connection. See Requests for Additional HSCN RIPE Addresses for more information.
Predecessor organisations include Health and Social Care Information Centre, NHS Connecting for Health, NHS Information Authority, or Central/Local Communications Management Group.
HSCN customers who can’t immediately move to a public address scheme may, upon their migration to HSCN, maintain subnets from the RFC1918 Private IP Address Space. These subnets were adopted for the NHS and allocated by the predecessor network provider for connectivity and to advertise hosted services on the TN. They were/are allocated from:
- Centrally allocated subnets from the 10.0.0.0/8 "NHS private address space"
- Centrally allocated subnets from the 172.17.0.0 - 172.31.255.255 "NHS private address space"
Non-compliant IP addresses
IP address types and ranges deemed non-compliant with this Policy will not be routed across the HSCN. These are:
- addresses and subnets from the RFC1918 private address space 192.168.0.0/16
- addresses and ranges from the RFC1918 private address space previously adopted as ‘NHS private address space’ (10.0.0.0/8 and 172.17.0.0 to 172.31.255.255) that have been deployed independently (meaning - not allocated by the predecessor network service provider)
- "illegal" public addresses - addresses not assigned to a consumer by an official organisation or, assigned to NHS Digital or a CN-SP and allocated to the consumer
An official organisation is a Regional Internet Registry (RIR) such as RIPE NCC, or a Local Internet Registry (LIR) such as NHS Digital. NHS Digital is not responsible for any instances of litigation against organisations that knowingly or otherwise route "illegal" IP addresses to the internet.
HSCN IP addressing and Internet First
Internet First means that externally accessible health and social care digital services must be securely accessible over the public internet by default rather than the Transition Network or Health and Social Care Network. One of the requirements to achieve this is for health and social care organisations to have sufficiently scaled and functional Internet connectivity to support the needs of the organisation in consuming and where applicable providing internet hosted services.
HSCN consumers should review the policy and guidance for Internet First when choosing an option from the list of IP address schemes defined in this Policy.
The IP address schemes supported by HSCN allow consumers to maintain legacy private address schemes where required, and also support and encourage the use of public addressing for connectivity and the provision of systems and services. Some of the IP address schemes supported by HSCN may need to be reconfigured or replaced to support transition of a consumer site from the HSCN to the internet.
3. Network Address Translation
The HSCN supports Network Address Translation (NAT) at the point of connection. This facilitates the allocation and use of RIPE assigned addresses at all connection points to the HSCN and to allow organisations to maintain existing internal addressing. Refer to the HSCN IP Addressing Good Practice Guidelines document for guidance on the use of NAT and other protocols and methods within HSCN.
4. Use of NHS Digital RIPE addresses on the internet
RIPE addresses assigned to NHS Digital (or a predecessor organisation) and already allocated to HSCN consumers may be used to advertise services on the internet. This is subject to NHS Digital approval and the business rules and caveats set out below.
- Subnets must be a minimum of a /24. All contiguous IP addresses within the /24 range (or larger if approved) must be reserved for Internet use only to prevent IP address fragmentation.
- Subnets must be RIPE assigned to NHS Digital (or a predecessor organisation) and allocated to consumers prior to 2019.
- NHS Digital RIPE assigned subnets allocated only to health and social care organisations and National applications may be used for this purpose.
- Subnets approved for this purpose must not be routed on the HSCN or TN. Consumers accept the risk of loss of access to systems or services affected due to misconfiguration.
- NHS Digital assigned RIPE subnets allocated as part of connecting or migrating to HSCN cannot currently be used for this purpose.
- NHS Digital RIPE assigned subnets allocated to commercial third-party organisations may not be used for this purpose.
- Organisations must ensure that information on the RIPE database relating to the relevant subnet is up to date. Details of any changes required should be sent to the NHS Digital IPAM Team at email@example.com.
- Subnets approved for this purpose remain RIPE assigned to NHS Digital therefore NHS Digital reserves the right to remove relevant RIPE objects in the event of misuse or breach of this Policy.
5. Return of unused allocations of NHS Digital RIPE addresses
A substantial amount of RIPE address space assigned to NHS Digital is still allocated to a number of public and private sector organisations. Any NHS Digital assigned RIPE address space that is not in use, no longer required, or in use on private networks, should be identified and returned to NHS Digital.
Organisations may return NHS Digital owned RIPE addresses by emailing the IPAM team at firstname.lastname@example.org. NHS Digital will actively pursue the return of allocated registered RIPE address space. This activity will be managed by the NHS Digital HSCN IPAM function.
6. NHS Digital IP address allocations for HSCN hosted cloud services
Commercial third-party suppliers who wish to set up HSCN hosted cloud services and require an allocation of NHS Digital RIPE assigned addresses should contact the NHS Digital IPAM team at email@example.com to discuss requirements.
The NHS Digital IPAM team will provide an allocation of RIPE addresses of the size required, typically up to a /28. Cloud providers should provide detailed requirements including the subnet size needed.
7. Operational processes
Authorisation and allocation process
NHS Digital manages and administers the HSCN IP Addressing Policy and the IP Address Management (IPAM) function. The IPAM function manages the allocation and return of subnets from the HSCN IP address space.
Requests for additional HSCN RIPE addresses
Health and social care organisations that connect to the HSCN and adopt an HSCN allocated RIPE address and NAT at the point of connection, may apply for an additional allocation of HSCN RIPE addresses. This may be, for example, to advertise hosted services that cannot currently be configured to work with NAT. Requests for additional HSCN RIPE addresses are managed via the IP authorisation and allocation request process.
It is important to note that the pool of HSCN RIPE addresses is a limited resource, therefore requests will be carefully scrutinised and allocations rigorously controlled. Requests for additional RIPE addresses from health and social care organisations will be prioritised. We recommend commercial third-party supplier organisations that need to advertise services across the HSCN use locally owned RIPE assigned addresses or obtain additional subnets from RIPE NCC.
NHS Digital does not preclude the use of RIPE ranges already owned by the connecting organisation, or organisations obtaining additional subnet assignments from RIPE.
Approval to use NHS Digital RIPE addresses on the internet
The use of NHS Digital assigned RIPE addresses on the Internet must be approved by the NHS Digital IPAM Team. Consumers wishing to do this must send a request to the IPAM Team at firstname.lastname@example.org.
8. Further information and enquiries
For further information and enquiries please email the HSCN IPAM team at email@example.com.
9. Glossary of terms
|Term / initialism||What it stands for|
|DHCP||Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (a scope) configured for a given network.|
|DNS||Domain Name System - the internet's system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.|
|HSCN||Health and Social Care Network|
|IPAM||IP (Internet Protocol) address management|
|N3||NHS national network|
|NAT||Network Address Translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.|
|RFC||A Request for Comments (RFC) is a formal document from the Internet Engineering Task Force (IETF) that is the result of committee drafting and subsequent review by interested parties.|
|RIPE NCC||The Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia.|
|TN||Transition Network - a backbone network service providing core network functionality; points of presence (PoPs); external Gateways; access PoPs supporting legacy N3 access services, head end services; broadband; video conferencing (VC); virtual private network (VPN); IP address management (IPAM); Domain Name System (DNS); Network Time Protocol (NTP); Enhanced Internet Gateway (EIG); Enhanced Monitoring Service (EMS); Advanced Behavioural Analysis Suite (ABAS); security management services; connectivity to the HSCN peering exchange network; and transitional assistance to migrate TN end users from the legacy environment to the new HSCN environment.|
Download the HSCN Internet Protocol (IP) addressing policy