Ipv6 adresses from the same home?
-
Hi there,
I need to figure out if these ipv6 adresses are from the same home (see below). I‘m not sure because while researching I did read that the first 3 or the first 4 hex-Numbers are uniquely assigned to a user.
Case 1: log in from a windows device on 30.12.2021 to google account 1 with the ip 2003:c5:3f02:6001:e88d:cf9d:ca23:59ff
Case 2: log in from an android smartphone on 02.01.2022 to google account 1 with the ip 2003:c5:3f02:6001:e88d:cf9d:ca23:59ff (-> same home)
Case 3: log in from a windows device on 30.12.2021 to google account 2 with the ip 2003:c5:3f02:6064:6815:bd58:386d:6337 (-> same home?!)
Many thanks
-
The 3rd case is not likely from the same home, unless they've changed their address. You have to consider how long the prefix is. Judging from the 3 cases, it's possible they all come from the same /56 prefix, with the first 2 on one /64 from the /56 and the 3rd on another.
-
@jknott thank you for your fast reply! Just in case the person changed the ip on the windows device on the 30th of December intentionally. Does this change only affect the windows device or also the android smartphone (log in on 2nd of January)?
-
With IPv6, you don't normally set an address. With SLAAC, an address is often based on the MAC address, though it could also be based on a random number. The prefix may change, depending on the ISP. Mine's solid. If the same device is used with different a different prefix, the rightmost 64 bits would be the same. However, there is a complication. IPv6 can use "privacy addresses", which can change daily, so the prefix would remain the same but not the 64 bit suffix.
What size prefix does your ISP provide? That could help answer your question.
Bottom line, if they have a /56 or /48 prefix, it's entirely possible all those addresses are from the same customer. However, if they have a /60 or /64, they would be 3 different customers. If I put my modem into gateway mode, I would get a single /64. But since my ISP provides a /56, I could configure pfsense to get anything between /56 and /64. You could fit 256 customers, with a /64 into a /56. So, it's hard to say without knowing what size prefix the customers have and there's no way to know from the other end.
Is this a real problem? Or a homework question?
-
@tk91 yes, it is the same house
-
@silence
That's only true if it's a /56 or shorter prefix. If it's a /60 or /64, it's different houses. This is why I said you can't tell without knowing the prefix size.
-
@silence
Here are a couple of extreme examples. Suppose those are on point to point links, where you could have a /127 prefix. Or it could be a WAN address for a firewall, which might be a /128 prefix, as is the case on my pfsense box.
-
Those could for sure be the same house.. User gets a /56 from their ISP, they use /64 out of that for their lan devices, and use a different /64 for their wifi, etc.
You can get say a /48 for use at your house, depending on your ISP, etc.
Keep in mind many isp love to change what they hand out to a user, so day 1 they could have A/56 and tmrw they have B/56, so all the /64s they use behind their router would now change as well.
-
And anyone with a modem in gateway mode would have a single /64. Without knowing the prefix size, there's no way to answer that question.
-
@jknott Pretty sure he was asking how/way the IPs are so different, but he knows they are the same house.. That is what stated and from what device was logged in from..
But yeah, while for sure its possible they are the same house.. Without some details you can not be sure..
-
Thank you all for your answers and discussion. Unfortunately it’s a “real problem”. There is a person who I trusted before but this person is now in suspicion for a bad deed. While changing my passwords (way too late I did that) I saw a log in to my personal account that was definitely not made by myself. It’s possible that that person had an auto login but I also had the hunch this person spied my personal mailbox (which is of great concern because I was in touch with official entities). Well I think the chance is quite low I forgot to logout somewhere and that that device has the same /56 prefix as that person. So I can just hope that was an auto login or that person did not found anything. Thank you all.
