Now with IPv6, this is something that still seems to be going on. If I use an online IPv6 test, it will report different addresses on occasion. Given the sheer number of addresses IPv6 can support, why aren't the addresses static? Is there a security reason for this? Some practical reason I'm not aware of? Or is it simply just for ISPs to continue selling static IPs at higher prices?
IPv6 addresses are generally assigned in two or three parts: the 48–64 bit prefix (i.e. address range) given to a customer by ISP; the 0–16 bit subnet ID chosen by the customer (or their router); and the 64-bit suffix (interface ID) usually chosen by the device itself. All parts can perfectly well be static.
For home customers the prefix is usually assigned via DHCPv6 Prefix Delegation, and just like an IPv4 DHCP-assigned address it can remain static as long as the router keeps re-requesting the same lease – essentially forever.
If you get a dynamic prefix, that's sometimes a router problem (it's not using the same DUID) but more commonly the ISP deliberately gives you a different prefix every time. (As with IPv4, this can be either for 'privacy' reasons, or because of technical issues, or because they want to charge you more on a "business" plan.)
Dynamically allocated prefixes are not due to address shortage. An ISP always starts with at least a /32 address range (or even a /29 very easily), and going by the current recommendation of "/56 per customer", this already provides space for 16 million customers (or 134 million if the ISP has a /29). The latter number is practically 1/32'th of the entire IPv4 Internet, and larger ISPs can still get more.
The suffix is a different story since it's usually chosen by the device itself (the router only broadcasts the 64-bit prefix to use). In the beginning, all suffixes were based directly on the MAC address, and this was a bit of a privacy issue – e.g. with a mobile phone you would get the same suffix everywhere, so a website could easily track your movements.
To avoid this, RFC 4941 "Privacy Extensions" were introduced, which had devices additionally generate a completely random temporary suffix and change it every 10 hours. This is probably what you're seeing in websites. (The static MAC-based address still remains perfectly usable though, just not revealed to websites by default.)
More recently, to combine the best of both worlds, RFC 7217 "stable privacy" addresses were introduced. These replace MAC-based suffixes with hash-based ones; the suffix looks completely random but remains stable as long as the prefix remains stable. (However, if you move to a different network or if the ISP issues you a different prefix, the suffix becomes different as well.)
However, even if these new addresses are in use (such as in recent Windows versions), they don't supersede the periodically-rotated "Privacy Extensions" addresses – you still get both the stable one and the temporary one.
So in short:
If the first half of the address keeps changing, call your ISP or search various IPv6-related forums.
If the second half of the address keeps changing, disable 'Privacy Extensions' in your operating system.
