[dfc]

I'm not defending the disclosure procedures but I think the author is under the impression that Apple is not going to care/respond and therefore not worth waiting X days before announcing publicly:

"The new version of the attack is powerful enough that I decided to formally notify Apple. I don't expect them to care much--Microsoft certainly didn't think this was important to them, and Windows is much more vulnerable."

Its also worth noting that while this vuln has a high availability impact it is also requires very specific network access, ie you can't run this from your cable modem and kill a random box on the internet.

[sounds]

To send router advertisement packets to a remote network (obviously spoofing the return address) shouldn't be very hard, but I don't know if firewalls or routers in between will refuse to forward the packet.

Anyone want to perform a test with me?

[lloeki]

Since this is a neighbour discovery mechanism, RAs/RSs are mandated to be link-local (either LL multicast when non solicited or LL unicast in reply to sollicitation), therefore the scope will kill routing. A router passing around such crafted RA/RS or a node not dropping such crafted RAs would be non-compliant and would just break the neighbour discovery mechanism anyway even without any form of attack as it does not make any sense.

Therefore the attack is bounded to the neighbour router(s).

From the RFC [0]

    Source Address
                     MUST be the link-local address assigned to the
                     interface from which this message is sent.

[0]: http://tools.ietf.org/html/rfc4861#page-19