The NHS Transition Network addressing policy mandates the use of the private IP address range from 10.0.0.0 to 10.255.255.2551 within the core of the Transition Network (TN) and for legacy continuing orders. This will be referred to as NHS private address space and/or 10.0.0.0/8 in this policy.
1 The following ranges from the NHS private IP address space (10.0.0.0/8) are reserved by the authority: 10.14.0.0/15, 10.20.0.0/14, 10.46.0.0/15, 10.104.0.0/13, and 10.120.0.0/13.
Portions of the NHS private address space are made available for organisations that connect to the TN to deploy within the local area network (LAN) environment. The availability of this address space is governed by the method by which an organisation connects to the network, its requirements, and intended usage of the address space. The address space is allocated by the service provider. To request or return NHS private address allocations please contact the BT helpdesk on 0800 085 0503 (select option 3).
Compliant and non-compliant IP addresses
The following points describe which IP address ranges or schemes are compliant with this policy, and those that are not.
Compliant IP addresses
Only the following address ranges will be legitimately routed across the TN:
- Addresses and address ranges from the NHS private address space (10.0.0.0/8) allocated as described in this policy.
- The portion of private class B address space (172.17.0.0 to 172.31.255.255) previously allocated by the service provider for general practice connections and routed on N3 will continue to be routed across the TN.
Non-compliant IP addresses
Addresses and address ranges from the private address space 192.168.0.0/16 will not be routed across the TN.
Portions of NHS private address space (10.0.0.0/8) that have been deployed independently but were not allocated by the service provider as described in this policy are deemed non-compliant and will not be routed across the TN.
Portions of the private address space that were previously allocated by the service provider for general practice connections (172.16.0.0/12) that have been deployed independently are deemed non-compliant and will not be routed across the TN.
Registered IP addresses (such as through RIPE) that belong to another organization or that do not belong to the organization that has deployed the addresses, whether they have been deployed illegally or accidentally, will not be routed across the TN.
NHS Digital is not responsible for any instances of litigation against NHS organisations that knowingly or otherwise route illegal IP addresses to the internet.
Network Address Translation
Network Address Translation (NAT) is not supported at the point of connection to the TN. This means that the service provider will not support (as standard) the deployment of NAT on the service provider managed customer premises equipment (CPE). NHS Digital promotes the deployment of service provider allocated address ranges from the NHS private address space (10.0.0.0/8) on the LAN that is connected to the TN.
An organisation that requests the deployment of NAT at the point of connection to the TN will have to seek specific approval from NHS Digital and will have to fund the additional non-standard elements of the TN service associated with the deployment NAT (as specified by the TN service provider).
The TN IP address allocation process
The following paragraphs describe the IP address allocation process for TN connections through a number of different scenarios and the requirements for each to comply with this policy.
New address allocations
Post-31 March 2017 there will be no 'new' connections to the TN. Orders in delivery during this period will be allocated a range of IP addresses from the NHS private address space based upon the method by which the organisation connects to the network, its requirements and intended usage of the address space. This address range will be allocated by the TN service provider.
Additional address allocations
Additional address space will be allocated from the NHS private address space (10.0.0.0/8) by the TN service provider. TN connected organisations can apply for additional addresses through the BT helpdesk on 0800 085 0503 (select option 3).
Address allocation requests and escalations
It's likely that in some instances a request will be rejected due to either:
- the request not conforming to policy - for example, the allocation requested is too large based upon the organization size, or the proposed schema does not represent an efficient use of address space
- an absence of supporting documentation submitted in support of a large allocation request.
In these instances, the allocation request will be reviewed by NHS Digital and, where appropriate, an interim "small site" allocation will be provided.
For more information please contact the BT helpdesk on 0800 085 0503 (select option 3).
The use of registered Réseaux IP Européens addresses
There are some instances where the routing of registered Réseaux IP Européens (RIPE) addresses across the TN has been supported. NHS Digital recommends that organisations that currently use registered RIPE addresses that were approved for use on N3/TN continue to do so and maintain this RIPE scheme for transition to the Health and Social Care Network (HSCN).
Organisations that have previously obtained registered RIPE addresses from the Authority2 should return any of this address space that is not in use or no longer required to NHS Digital. To do this, please contact DNSTeam@nhs.net.
2 NHS Digital or predecessor organisation including the Health and Social Care Information Centre, NHS Connecting for Health, NHS Information Authority, or Local Communications Management Group.
IP address ranges for key NHS infrastructure
For the purposes of internet access, the TN internet gateway will continue to translate internal NHS addresses to registered addresses. By default, as with all internal address ranges, the NHS private address space will not be advertised outside the boundary of the TN.
A number of dedicated gateways are currently connected to the TN. These include Department of Health (DH), the Joint Academic Network (JANET), and the National Blood Service (NBS). These gateways will continue to translate internal NHS addresses to registered addresses. The NHS private address space will not be advertised outside the boundary of TN.
Connections to the TN for National Application Service Provider Data Centres will use registered RIPE addresses and NHS private address space as required. The use of registered RIPE address space will be at the discretion of NHS Digital and pertinent to key national applications only. This initiative will assist in minimising the occurrence of network overlap with non-compliant end sites.
IP addressing for voice services over the TN
It is standard practice for organisations deploying Voice over Internet Protocol (VoIP) solutions to use separate virtual local area networks (VLANs) for voice and data devices and traffic. The primary reason for this is to increase security, as personal computers are especially vulnerable to attack and can be used to break into the VoIP system to eavesdrop or to deny service to the voice applications. Keeping the voice and data traffic on separate VLANs also simplifies setting up quality of service (QoS) as priority can be given to VoIP packets based on the VLAN identifier (VLAN ID).
In order to support NHS organisations wishing to deploy their own VoIP solutions and those ordering TN hosted voice services (HVS), the TN service provider will allocate VoIP addresses from separate ranges to those used for data services. The VoIP addresses are allocated from specific reserved ranges in the NHS private address space (10.0.0.0/8). NHS organisations wishing to use the TN to carry VoIP traffic must submit their VoIP addressing requirements (for example, based on the number of VoIP telephone handsets that need to be supported) to the TN-SP using the TN IP addressing request form. The form can be obtained from the BT helpdesk on 0800 085 0503 (select option 3).