My company has received a large industrial machine with many networked devices on it. Unfortunately the engineer in charge has used a public IP address range on the machine. I'm in Europe. The chosen address range belongs to a USA company. Let's say it's 143.166.0.0 (which actually belongs to Dell).
Let's assume I don't connect the machine to our company LAN (for now) but I do connect my laptop to it to program a device – say 143.166.0.1. Let's also say that my laptop wireless network adaptor is connected to the company LAN and hence to the Internet. Now I have two possible routes to two devices that share an address. The local one I want and the Dell address.
My question is, "How worried should I be?" What should and would happen in this case? My guess is that the local machine would respond first and that I might get away with it but that eventually I will get bitten. Incidentally, I've seen public ip addresses on other machines too. It seems the engineers either don't understand private addressing or don't expect their machine to be connected to the wider world.
Any ideas / comments? (that don't involve violence to the machine engineer)?
Epilogue
We found an interesting problem that has forced us to change the IP addresses to private.
- One of the devices on the machine is programmed via Internet Explorer using an ActiveX component. This device will try to push data to the ActiveX 'listener' (rather than the usual browser mode of requesting data from a remote server).
- Our Active Directory configuration downloads security policies to our computers at login. Included in the policy is the list of trusted sites. These include:
- Approved company addresses.
- Various external addresses such as our bank.
- Private addresses 192.168.0.0/16, 172.16.0.0/20 and 10.0.0.0/24.
- Everything else is blocked.
- Due to the security policy, the ActiveX component never received any data as the incoming traffic is blocked by the security policy!
This has forced me to have the vendor change the addresses to 172.16.0.0. I'll sleep easier.
Thanks for all the interest.
Best Answer
Short answer: Duplicating allocated public addresses is a bad idea.
Slightly longer answer: Leaving aside the routing issues for the moment, it's not safe to assume that you will never need to reach this machine from some place other than a directly attached cable, or that public or private address allocations are static and will never change.
The remote-access issues are obvious: The global Internet thinks 143.166/16 is in one place, and you want it to be in another. Routers won't go to your machine.
And ownership could change. Even if this address weren't assigned to Dell, it could be allocated to them in the future. Dell does have this address today, but someone else might tomorrow, with a different route. Who knows? Your organization might even buy that address block, with even more routing adventures.
Bottom line: Don't assume duplicate IPs can safely be walled off forever.
As for the routing, your wired interface would prefer the local address over Dell's. Your wired interface would send an ARP request for that address and get it directly from the industrial machine, no gateway required. Thereafter, packets destined to that address would use the destination MAC address of the industrial machine.
That will work fine as you only use a cable for access, and as long as you never need to reach this machine from someplace else, and as long as the global routing table remains static.
That's a lot of ifs. You're better off avoiding the issue by using either a unique public address or something out of the private address pool.