Guidance

PSN IP address management

Published 27 October 2015

© Crown copyright 2015

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/psn-ip-address-management/psn-ip-address-management

The PSN public IP address space

The IP addresses in use on PSN consist of multiple, non-contiguous blocks. Some of these are used for customer and service end-points, others are used by Government Conveyance Network Service Provider (GCNSP), Direct Network Service Provider (DNSP) and PSN network providers for their own infrastructure. The IP blocks are owned and allocated out by different organisations. PSN does not currently support IPv6 addressing.

The PSN public IP address space consists of those address blocks that are set aside for end-points on the PSN shared services VPN and all other MPLS VPNs that are shared by more than one organisation on the PSN. Note that both PSN Protected and PSN Assured sit within the PSN shared services VPN. A typical address block contains enough space for a large number of end-points. A portion of the block will have been allocated and deployed on PSN, the remainder will be available to the owner to allocate to new customer and service endpoints, as the owner chooses.

Organisations with available public IPv4 addresses ought to use these for their PSN endpoints. Similarly, network service providers ought to continue using their current public IP ranges when provisioning services on the PSN. Where organisations, both public and private, have no available addresses a limited supply is available from PSN by request using the IP address form and guidance.

The PSN team needs to publish the list of summary blocks that make up the PSN public IP address space, so that suppliers can simplify their routing tables and minimise the cost of change as new end-points connect.

Obligation IP.5: mandatory for all connectivity service providers, and all end-point customers and service providers

PSN service providers and customers must not:

  • propagate PSN IP addresses outside of public sector networks
  • present them as a viable route reachable from non-public sector networks (such as the internet)

Obligation IP.8: mandatory for all connectivity service providers, and all end-point customers and service providers

Any organisation that allocates IP addresses for customer and service end-points on the PSN shared services VPN or any other shared MPLS VPN on PSN must:

  • keep the PSN team notified of all the summary blocks that they have set aside for PSN
  • specify the details of the block, and whether the block is for PSN Assured or PSN Protected use
  • allow the PSN team to publish the block information

Obligation IP.4: mandatory for all connectivity service providers, and all end-point customers and service providers

Any organisation that allocates IP addresses on the PSN must use separate IP ranges for network encryption services and endpoints.

Obligation IP.9: mandatory for all network service providers

Service providers must maintain routing between all points in the PSN public IP address space, so that when a new end-point connects there is minimal work required or cost incurred for changes to network routing.

The infrastructure layer

The underlying PSN infrastructure comprises of numerous peer Network-to-Network Interface (NNI) connections configured between applicable GCNSP, DNSP and other PSN networks.

Within this architecture, addressable core transport services (GCN and DNSP and other PSN network elements) are separated from the higher level PSN IP and application ‘service slices’ allowing for client and service provisioning without regard for the underlying delivery mechanism. All IP address allocation within the infrastructure layer is administered solely by the applicable service provider.

Obligation IP.1: mandatory for all network service providers

Service providers must use public IP addressing from their own address spaces when provisioning the shared infrastructure used for GCN, DNSP, other PSN networks and NNI connections with neighbouring service provider and consumer WAN devices on shared networks. Service providers must provide public addressing for connections between:

  • GCN to GCN
  • GCN to DNSP
  • DNSP to other PSN networks
  • GCN, DNSP and other PSN networks to external networks, including the Internet
  • DNSP and other PSN networks to consumer Customer Edge Wide Area Network (CE WAN) port
  • Private addresses

Obligation IP.10: mandatory for all network service providers

RFC1918 private addresses must not appear on the PSN shared services VPN or any other shared MPLS VPN on PSN, unless approved by the PSN team.

Private address are permitted in certain use cases within a DNSP where the DNSP has taken steps to ensure that the private addresses can not proliferate or interfere with the good functioning of the PSN. This could be:

  • within a customer’s Virtual Private Network (VPN) within a DNSP
  • internal device management overlays within a DNSP
  • Dynamic Multipoint Virtual Private Network (DMVPN) transit domains where all end hosts use registered addressing

A DNSP wishing to use RFC1918 private addresses within their network to support PSN services should consult with their GCN service provider to ensure that there will be no adverse impact on PSN function.

Back to top