Guidance

Flattening obligations for PSN Protected network service providers

Updated 16 January 2018

Foreword

Government wants the Public Services Network (PSN) to operate as a single, flat network. This will let PSN network customers:

  • consume any service from either the PSN Protected (PSN-P) and PSN Assured (PSN-A) networks
  • have network traffic freely route between themselves and other customers

PSN-P providers will implement this flattening at the network level, and must do this to ensure their PSN compliance certificate remains valid.

These obligations only apply to PSN-P connectivity service providers, some of which also operate PSN-A networks. PSN-A only connectivity service providers don’t need to do any flattening.

Rationale

The PSN has been operated as 2 distinct shared networks that carried data separated into what was once called IL2 and IL3 traffic, which denoted the security classifications.

Following changes to the Government Security Classifications in 2014, both networks began to carry OFFICIAL traffic. This meant there was no longer a user need to have 2 separate networks, and the PSN could become a single network where traffic travels seamlessly.

In July 2015, the Government network policy changes mandated this requirement for the PSN to become a single network.

We are now implementing PSN flattening to conform to the government network policy and to:

  • remove the suggestion that PSN-P and PSN-A are different trust domains
  • remove unnecessary legacy infrastructure
  • remove unnecessary and costly customer changes
  • reduce overall costs

There are 5 PSN-P providers. Government requires these providers to implement a simple and scalable solution to ensure all PSN network customers can reach each other by default. The solution must work for customers connected to any PSN network, not just from a network supplied by one of the PSN-P providers.

Approach

The diagram below shows how PSN-P and PSN-A will be flattened. All PSN-P providers must flatten via their PSN-A network to avoid asymmetric routing and ensure traffic is carried most efficiently. This approach means that all PSN-P providers must flatten before any single network customer has full access to all other network customers.

This diagram shows how PSN-P and PSN-A will be flattened, using PSN-A only.

An overview of the PSN flattening process

In addition to the existing routes across PSN-P (P1:P2, P2:P1) and across PSN-A (A1:A2, A2:A1), flattening will open up the routes between a provider’s PSN-P network and its own PSN-A network (A1:P1, P1:A1) and between its PSN-P network and all other providers’ PSN-A network (A2:P1, P1:A2).

Obligations

Flattening obligations are identified by the prefix FLT.

Obligation FLT.1: mandatory for PSN-P providers

PSN-P providers must ensure traffic between PSN-P network customers stays on PSN-P. PSN-P providers must ensure traffic between PSN-A network customers stays on PSN-A.

A PSN network customer is:

  • an organisation that consumes PSN services, and must therefore sign a PSN Code of Connection (CoCo)
  • one that provides PSN application or hosting services and must therefore sign a PSN Code of Connection (CoCo) and PSN Code of Code of Practice (CoP)

Obligation FLT.2: mandatory for PSN-P providers

A PSN network customer must not have to request any specific configuration or change to the flattened network to reach another customer. PSN-P providers must support this by ensuring all network customers:

  • on any PSN-A network reach all network customers on their own PSN-P networks
  • on its own PSN-P network reach all network customers on any PSN-A network

Obligation FLT.3: mandatory for PSN-P providers

PSN-P providers may make PSN-P addresses unreachable to PSN-A network customers only on the instruction of the PSN team. The PSN team will maintain an exceptions list containing those unreachable PSN-P addresses.

If a PSN-P network customer wants its PSN-P addresses to be unreachable to PSN-A network customers, the PSN-P network customer must make a request for this to the PSN Team via the PSN team contact centre. If the request is approved, the PSN team will notify all PSN-P providers.

If 2 PSN-P network customers are on the same subnet, one of which wants to be on the exceptions list, then the PSN team will decide what action needs to be taken, and by who, to achieve the exception.

Obligation FLT.4: mandatory for PSN-P providers

PSN-P providers must ensure that if the Inter Provider Encryption Domain (IPED) fails, then PSN-P to PSN-P communication must fail. They must not route traffic via PSN-A.

Obligation FLT.5: mandatory for PSN-P providers

PSN-P providers must ensure their PSN flattening solution does not require any non-PSN-P providers to make any configuration changes to support flattening.