Your router at home can connect to the internet via three different types of connections:
While nowadays IPv4 and Dual Stack connections just work fine, DS Lite might make you scratch your head in regards to incoming connections.
The reason is IPv6 is not backwards compatible to IPv4
Let's imagine a server (like a mailserver) would be assigned with an IPv6 address only. This means, that no client with an IPv4 address only would be able to connect. Now imagine you run a server like FTP or VPN in your LAN. If your internet router is connected with DS Lite, it can be accessed from the outside via IPv6 only.
Today in 2018 this excludes all of the mobile devices in Germany (e.g. connected via Vodafone or T-Mobile ISP). Btw: A solution for this problem would be "port mapping" which I won't address here.
Btw: If your home router currently connects via IPv4 only, try to enable support for IPv6 via your router settings. If you're lucky you can "switch" from IPv4-only to Dual Stack or IPv6 via tunnel.
Now you might wonder, if your DS Lite account is limited to IPv6 incoming connections only, how is it possible you can still connect to external IPv4 addresses?
This is possible due to your ISP using a IPv6 tunnel carrying IPv4 information in his own network. From a high level point of view this is how it works:
As you can see your ISP doesn't need to buy a public IPv4 address for each and every customer, like you.
If your device supports IPv6 addresses it will connect "directly" to the target IPv6 server. Actually the target server will see your PC's IPv6 address as the origin address, no more hiding behind your routers public IP.
In the last chart above you've seen that each device uses a public IPv6 address. So what about private addresses? Actually there is nothing like a public or private address in the world of IPv4. Something similar is avaibable, but it's called differently. Let's start from the beginning:
From a high level view an IPv6 address is made of two parts:
Let's take a look at three different types of IPv6 addresses:
Link-local (prefix FE80::)
If you run ipconfig / ifconfig om your device you'll see an IPv6 address that starts with FE80::
This is a constant address which is used for communication inside your LAN, across switches but not across routers.
The prefix FE80:: is always the same and followed by the suffix (aka interface identifier). Latter is generated automatically (usually based on MAC address).
Unique Local Addresses - ULA (FDxx:)
Equivalent to private addresses in an IPv4 network, that start with FDxx: and cannot be routed to the internet. Someone may think this provides the highest security as everything is hidden behind your router. Actually a routable IPv6 address placed in a subnet and protected by a (routers) firewall will provide the same level of security (see below).
Equivalent to public IPv4 addresses but no longer limited to a router. Instead every device in your local network can be assigned a global address that is routable.
Three ways are available for a device to obtain its IPv6 address:
In a nutshell SLAAC is always used for link-local addresses and in home environments usually by default for unique local addresses.
Using the Neighbor Discovery Protocol (NDP) the client device can send a Router Solicitation message (a special ICMPv6 packet type) to locate the local router(s). The router itself will answer with a Router Advertisement message. This message will be sent periodically even without a request. It contains several link and internet parameters, e.g. MTU and the ip address prefix (assigned from the ISP). This prefix combined with the 'interface identifier' part of the link-local address generates the global local address. Connected to the same ISP this address will never change.
Someone can now assume that a specific device will always communicate from the same source ip address (in case the ISP hasn't changed). This is only true as long "Privacy Extensions" hasn't been enabled. All modern operating systems have Privacy Extensions enabled by default and as such you'll end up with IPv6 address whose 'interface identifier' is not based on the mac address (but a random hash). Windows 10 for example will show the real and fake address if you run ipconfig. The 'temporary address' is used for outgoing connections until the next reboot. You definitely want to disable this for services (like FTP) or at least using a DNS name.