IT Network Documentation - IPv4/v6 Public Facing addresses

Ben Fairless made this Freedom of Information request to Department of Human Services

The request was refused by Department of Human Services.

From: Ben Fairless

Delivered

Dear Department of Human Services,

I am writing to you to request information pertaining to your Information Technology infrastructure.

Namely, I am after records detailing the IPv4 (and if relevant,
IPv6) addresses used to access the public internet from within your network.

To clarify, these are the public facing addresses of your private network. I am only requesting addresses that are used to access the general public internet.

In addition, if it is such that a particular IP address serves a
particular area within your department (for example, one IP address is used for Media Relations, while another is used for Ministerial Communications), I also request access to this information.

To assist you in locating this information, I suggest it would be found in network documentation, or at the very least in configuration files of your
router and firewall equipment.

Please do not hesitate to reply if you require clarification to
fulfil this request.

I look forward to your response.

Yours faithfully,

Ben Fairless

Link to this

Guy IT left an annotation ()

Dear both Department of Human Services, and Mr Ben Fairless,

I am writing to advise both of you on this issue. I do not believe this is a valid request to be made of the department.

As an IT professional, I cannot think of any situation where this information might be useful to any individual or organisation that does not intend to use it in a malicious manner. Anyone can access the 'Public IP information' for the organisation using 'whois lookup', in fact I performed this lookup myself and will provide the results here for you:

$ whois humanservices.gov.au
Domain Name: humanservices.gov.au
Last Modified: 24-Feb-2014 04:48:57 UTC
Registrar ID: Finance
Registrar Name: Department of Finance
Status: serverTransferProhibited

Registrant: Department of Human Services
Registrant ID: OTHER GOVAU-HIMI1001
Eligibility Type: Other

Registrant Contact ID: GOVAU-HIMI1001
Registrant Contact Name: Data Network Team
Registrant Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs

Tech Contact ID: GOVAU-SHDA1002
Tech Contact Name: Gateway Operations
Tech Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs

Name Server: dns1.humanservices.gov.au
Name Server IP: 203.13.3.6
Name Server IP: 2407:6a00:0:0:0:0:0:531
Name Server: dns2.humanservices.gov.au
Name Server IP: 203.13.3.7
Name Server IP: 2407:6a00:0:0:0:0:0:532

It is not the concern of the public to know how the organisation chooses to sub-allocate their IP addresses, or whether they only have one publicly facing IP address and use NAT (Network Address Translation) to connect their machines to the internet.
After a short brainstorming session, these are the possible activities I could think of that one could perform using a more detailed knowledge of an organisations internal network address allocations.

> Targeted Denial of Service attacks - The malicious individual/organisation makes numerous unsolicited requests on servers/machines located at specific IP addresses in order to overwhelm them (potentially also causing issues downstream within the targeted organisation)
> If the user has access to Backbone network infrastructure (Works for and ISP / Telco or has otherwise maliciously obtained access) they could snoop packets marked with specific IP addresses, analogous to wire tapping.

There are probably other possibilities, but again, I can't think of any non-malicious reasons anyone external to an organisation would need to know this information.

Thanks,

Link to this

Ben Fairless left an annotation ()

Guy,

There are several reasons why this information could be useful.

For example, website owners (such as Right to Know) could be interested in reporting on traffic from Government Agencies. I would personally be interested to know how often various Government agencies access Right to Know.

I've also heard of a twitter account which sends out a tweet every time the Russian Government updates something on Wikipedia. This would rely on IP addresses to work (I think!).

I still think the request is valid under the FOI Act. s23(2) of the Act makes it clear that the Department cannot take into account any reason that I give for requesting access, or the Department's belief as to my reasons for requesting access[1].

I don't disagree that the information can be used for malicious purposes, but I don't think *all* uses are malicious.

Ben

[1] http://www.austlii.edu.au/au/legis/act/c...

Link to this

From: FOI.LEGAL.TEAM
Department of Human Services


Attachment Acknowledgement letter LEX 9492.pdf
332K Download View as HTML


Dear Mr Fairless,

 

Please find attached correspondence relating to your request for documents
under the Freedom of Information Act 1982.

 

Regards

 

 

Julian Russell

Government Lawyer

FOI and Information Release Branch | Legal Services Division

Department of Human Services

 

This email and any attachments may contain information subject to legal
professional privilege or information that is otherwise sensitive or
confidential. If you are not the intended recipient of this email, you are
prohibited from using or disseminating this communication. If you have
received this communication in error please notify the sender immediately
and permanently delete this email.

 

show quoted sections

Link to this

Guy IT left an annotation ()

Hi again,

While I understand and agree with the reasons you give (the public should be able to know the general actions of government organisations) this is perfectly possible with what information you have available to you.

Using currently available public registries you are able to perform reverse look-ups on any IP address and find the registrant/owner. I myself have done this several times for reporting on traffic to websites I control. If you had access logs for the Right to Know website, you would be able to show which government agencies viewed it (when and how much).

In the case of the twitter example, the service would scrape the page of recent changes to Wikipedia (http://en.wikipedia.org/wiki/Special:Rec... and perform reverse lookups on the IP addresses, checking for Russian government owned ones.

If would you personally be interested in more granularity (i.e. which specific sub-departments or even users) were making accesses then that is your preference, but I feel that releasing that information would not be useful, only more informative for malicious parties.

Link to this

From: Ben Fairless

Delivered

Dear Julian,

Thanks for your acknowledgement. I forgot to add that I would prefer this request be treated as a request for administrative access. Is this at all possible?

If for some reason the request cannot be dealt with in this way, please continue to treat it as a formal application under the Freedom of Information Act (from the date it was initially received).

Yours sincerely,

Ben Fairless

Link to this

From: FOI.LEGAL.TEAM
Department of Human Services


Attachment LEX 9492 Decision letter.pdf
422K Download View as HTML


Dear Mr Fairless,

 

Please find attached correspondence relating to you request for
information under the Freedom of Information Act 1982.

 

Regards

 

Julian Russell

Government Lawyer

FOI and Information Release Branch | Legal Services Division

Department of Human Services

 

This email and any attachments may contain information subject to legal
professional privilege or information that is otherwise sensitive or
confidential. If you are not the intended recipient of this email, you are
prohibited from using or disseminating this communication. If you have
received this communication in error please notify the sender immediately
and permanently delete this email.

 

show quoted sections

Link to this

Things to do with this request

Anyone:
Department of Human Services only: