I don't have IPv6 yet but i am interested in seeing what this is all about so that i will be ready.
So if i understand correctly the ISP will only assign you the first part of your IP, allowing you to use all IPs within that IP range. The router will then DHCP assign these IPs to all the devices inside your LAN. No complex TCP/IP routeing will be needed by the router because packets will come from the internet destined at the devices IP.
Yes. It's more complicated than IPv4 because there are some rules. A local area network should have a /64 prefix assigned so that the IPv6 address assignment mechanisms (for example, SLAAC based on the MAC address) work. If you want to create more networks you should request more /64 segments. Some corporate ISPs assign, for example, /48 prefixes which you can split into /64's in order to use them for several nets.
Indeed, there is no need for NAT. Every device in your network can have its own IP address. Even every
service in your network can have its own IPv6 address.
Then firewall has to specifically be set up so that it doesn't just let any packet from the internet into the LAN onto those internal IPs, but allow all traffic between these IPs inside the LAN. Otherwise you could end up in a situation similar to plugging your PC directly into a modem without routeing and exposing all of your ports to the entire internet.
Did i get it right?
Yes and no. Filtering incoming connections is going to be very important of course. Also, the failure mode is different from the IPv4 NAT router. In IPv4 with NAT a misconfigured router is more likely to prevent any incoming connection. So your crappy webcam, baby monitor, etc, will be "safe" from the Internet.
With IPv6, a misconfigured router with no filtering might leave everything open.
On the other hand, the IPv6 address space is so huge there are no address scans. I have been monitoring my line for two years (a whole /48) and I haven't seen any scans yet.
However, remember that when you visit a website (which could be a malicious website, for example, linked from a spam email message) you are making your IPv6 address known and you might receive a port scan.
I like to make a warfare analogy to compare IPv4 and IPv6. If IPv4 is like land warfare, in which your position is likely known and you rely on trenches, armor, etc, IPv6 is more like war at sea. You can hide in such a vast place and you can be really difficult to find. However, you can reveal your position by transmitting a radio signal.
As it happens in naval warfare, with IPv6 you can do the equivalent of scattering your ships, though. Imagine that your computer has some file sharing application to use at home and, at the same time, you are browsing the web. You can use randomly generated throw-away IPv6 addresses for web browsing,
while your file sharing service listens on a different address. If properly generated (ie, not guessable)
and your service doesn't listen on the temporary addresses, it won't be feasible to find your file sharing service doing an address scan, so for all practical purposes it will be reasonably secure without a firewall.
The throw away addresses for outgoing connections are already standard behavior, but in my article linked some posts ago I propose to tweak that mechanism so that those temporary addresses are not available for sockets listening on INADDR6_ANY.