IT Network Documentation - IPv4/v6 Public Facing addresses
Dear Department of Human Services,
I am writing to you to request information pertaining to your Information Technology infrastructure.
Namely, I am after records detailing the IPv4 (and if relevant,
IPv6) addresses used to access the public internet from within your network.
To clarify, these are the public facing addresses of your private network. I am only requesting addresses that are used to access the general public internet.
In addition, if it is such that a particular IP address serves a
particular area within your department (for example, one IP address is used for Media Relations, while another is used for Ministerial Communications), I also request access to this information.
To assist you in locating this information, I suggest it would be found in network documentation, or at the very least in configuration files of your
router and firewall equipment.
Please do not hesitate to reply if you require clarification to
fulfil this request.
I look forward to your response.
Yours faithfully,
Ben Fairless
Ben Fairless left an annotation ()
Guy,
There are several reasons why this information could be useful.
For example, website owners (such as Right to Know) could be interested in reporting on traffic from Government Agencies. I would personally be interested to know how often various Government agencies access Right to Know.
I've also heard of a twitter account which sends out a tweet every time the Russian Government updates something on Wikipedia. This would rely on IP addresses to work (I think!).
I still think the request is valid under the FOI Act. s23(2) of the Act makes it clear that the Department cannot take into account any reason that I give for requesting access, or the Department's belief as to my reasons for requesting access[1].
I don't disagree that the information can be used for malicious purposes, but I don't think *all* uses are malicious.
Ben
[1] http://www.austlii.edu.au/au/legis/act/c...
Dear Mr Fairless,
Please find attached correspondence relating to your request for documents
under the Freedom of Information Act 1982.
Regards
Julian Russell
Government Lawyer
FOI and Information Release Branch | Legal Services Division
Department of Human Services
This email and any attachments may contain information subject to legal
professional privilege or information that is otherwise sensitive or
confidential. If you are not the intended recipient of this email, you are
prohibited from using or disseminating this communication. If you have
received this communication in error please notify the sender immediately
and permanently delete this email.
**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************
Guy IT left an annotation ()
Hi again,
While I understand and agree with the reasons you give (the public should be able to know the general actions of government organisations) this is perfectly possible with what information you have available to you.
Using currently available public registries you are able to perform reverse look-ups on any IP address and find the registrant/owner. I myself have done this several times for reporting on traffic to websites I control. If you had access logs for the Right to Know website, you would be able to show which government agencies viewed it (when and how much).
In the case of the twitter example, the service would scrape the page of recent changes to Wikipedia (http://en.wikipedia.org/wiki/Special:Rec...) and perform reverse lookups on the IP addresses, checking for Russian government owned ones.
If would you personally be interested in more granularity (i.e. which specific sub-departments or even users) were making accesses then that is your preference, but I feel that releasing that information would not be useful, only more informative for malicious parties.
Dear Julian,
Thanks for your acknowledgement. I forgot to add that I would prefer this request be treated as a request for administrative access. Is this at all possible?
If for some reason the request cannot be dealt with in this way, please continue to treat it as a formal application under the Freedom of Information Act (from the date it was initially received).
Yours sincerely,
Ben Fairless
Dear Mr Fairless,
Please find attached correspondence relating to you request for
information under the Freedom of Information Act 1982.
Regards
Julian Russell
Government Lawyer
FOI and Information Release Branch | Legal Services Division
Department of Human Services
This email and any attachments may contain information subject to legal
professional privilege or information that is otherwise sensitive or
confidential. If you are not the intended recipient of this email, you are
prohibited from using or disseminating this communication. If you have
received this communication in error please notify the sender immediately
and permanently delete this email.
**********************************************************************
IMPORTANT: This e-mail is for the use of the intended recipient only and
may contain information that is confidential, commercially valuable and/or
subject to legal or parliamentary privilege. If you are not the intended
recipient you are notified that any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in reliance upon,
this information is prohibited and may result in severe penalties. If you
have received this e-mail in error please notify the sender immediately
and delete all electronic and hard copies of this transmission together
with any attachments. Please consider the environment before printing this
e-mail
**********************************************************************
Guy IT left an annotation ()
Dear both Department of Human Services, and Mr Ben Fairless,
I am writing to advise both of you on this issue. I do not believe this is a valid request to be made of the department.
As an IT professional, I cannot think of any situation where this information might be useful to any individual or organisation that does not intend to use it in a malicious manner. Anyone can access the 'Public IP information' for the organisation using 'whois lookup', in fact I performed this lookup myself and will provide the results here for you:
$ whois humanservices.gov.au
Domain Name: humanservices.gov.au
Last Modified: 24-Feb-2014 04:48:57 UTC
Registrar ID: Finance
Registrar Name: Department of Finance
Status: serverTransferProhibited
Registrant: Department of Human Services
Registrant ID: OTHER GOVAU-HIMI1001
Eligibility Type: Other
Registrant Contact ID: GOVAU-HIMI1001
Registrant Contact Name: Data Network Team
Registrant Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs
Tech Contact ID: GOVAU-SHDA1002
Tech Contact Name: Gateway Operations
Tech Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs
Name Server: dns1.humanservices.gov.au
Name Server IP: 203.13.3.6
Name Server IP: 2407:6a00:0:0:0:0:0:531
Name Server: dns2.humanservices.gov.au
Name Server IP: 203.13.3.7
Name Server IP: 2407:6a00:0:0:0:0:0:532
It is not the concern of the public to know how the organisation chooses to sub-allocate their IP addresses, or whether they only have one publicly facing IP address and use NAT (Network Address Translation) to connect their machines to the internet.
After a short brainstorming session, these are the possible activities I could think of that one could perform using a more detailed knowledge of an organisations internal network address allocations.
> Targeted Denial of Service attacks - The malicious individual/organisation makes numerous unsolicited requests on servers/machines located at specific IP addresses in order to overwhelm them (potentially also causing issues downstream within the targeted organisation)
> If the user has access to Backbone network infrastructure (Works for and ISP / Telco or has otherwise maliciously obtained access) they could snoop packets marked with specific IP addresses, analogous to wire tapping.
There are probably other possibilities, but again, I can't think of any non-malicious reasons anyone external to an organisation would need to know this information.
Thanks,