[sounds]

To send router advertisement packets to a remote network (obviously spoofing the return address) shouldn't be very hard, but I don't know if firewalls or routers in between will refuse to forward the packet.

Anyone want to perform a test with me?

[lloeki]

Since this is a neighbour discovery mechanism, RAs/RSs are mandated to be link-local (either LL multicast when non solicited or LL unicast in reply to sollicitation), therefore the scope will kill routing. A router passing around such crafted RA/RS or a node not dropping such crafted RAs would be non-compliant and would just break the neighbour discovery mechanism anyway even without any form of attack as it does not make any sense.

Therefore the attack is bounded to the neighbour router(s).

From the RFC [0]

    Source Address
                     MUST be the link-local address assigned to the
                     interface from which this message is sent.

[0]: http://tools.ietf.org/html/rfc4861#page-19