So, in closing, from CERT I got the following:
Essentially, RFC 3756 Section 4.4 lists several possible ND and RD attacks
that may be possible based on your reading of Section 4.2.7. These attacks
are well-known and have been discussed before publicly (hence being in the
RFC). Fake ND and RD responses in IPv6 are similar to ARP poisoning in the
IPv4 world; rogue nodes can do this. In short, this is a real issue, but an
already known one.
Since this isn't news, and the embargo has ended, I'll publish some more
content about what's up, why it isn't the end of the internet, and how to play
havoc with your local network and make devices unable to route IPv6 packets.