Support

Your question is already answered in our documentation:

Do note that Admin Tools supports IPv4 and IPv6 (if your server supports IPv6) for any form of IP you enter yourself (single IP, human readable block, implied IP range, CIDR block and subnet mask notation). However, IPv6 will not work with the Dynamic IP Domain Name entries.

Moreover, your question makes no sense. IPv4 vs IPv6 and static vs dynamic are two separate attributes. Think about summer tyres vs snow tyres and 15" rims vs 18" rims. You can have any combination of the two attributes: static IPv4, dynamic IPv4, static IPv6 and dynamic IPv6. So let's break it down.

IPv6 support. I have already done the work to support IPv6 several years ago and kept improving it since. There is nothing missing or left to do. Admin Tools supports IPv6 natively, including CIDR notations for IPv6 and IPv4-in-IPv6 encapsulation for legacy clients. Our only limitation is what PHP itself allows us to do.

Static vs dynamic address. If you want to use IP address whitelisting you must have a predictable IP address that you can guarantee that nobody else will have. This means that you need a static IP address. No static IP, no whitelisting.

You may notice that trying to support whitelisting with dynamic addresses we started supporting dynamic DNS entries prefixed by an at-sign, e.g. @example.dyndns.info. However, due to a limitation in PHP itself this method cannot support IPv6. This is something that PHP itself has not implemented. PHP cannot translate a hostname to an IPv6 address. If PHP makes that possible then yes, sure, we can support dynamic IPv6 address and, in fact, we would need to do absolutely nothing more than we are already doing.

Correct. I am working on an alternative way to support IPv6 dynamic DNS.

That said, I would recommend that you use another two protections on top of the administrator secret URL parameter.

First, use the administrator password protection feature in Admin Tools. This is applied at the web server level, before PHP gets the chance to load. This will discard a heck of a lot of junk traffic from script kiddies trying to brute force your administrator login without consuming even the minimal server resources that the administrator secret URL parameter does.

Second, I very strongly recommend using Two Factor Authentication (built into Joomla) OR Two Step Verification (e.g. Akeeba LoginGuard). Even if someone has the administrator password protection information, your administrator secret URL parameter and your username and password they will still be unable to login unless they have a device you own. So unless you are targeted by a hacking group with a heck of a lot of resources or someone holds a gun to your head they will be extremely unlikely to be able to log in to your site's administrator area.

IMHO, Two Step Verification is the best method for securing your administrator login. IPs can be spoofed. Usernames, passwords and secret words can be guessed or stolen. Compromising Two Step Verification requires attacking a physical device which is an entirely different ball game than hacking a PHP site.