Your understanding of IPv6 is poor if you think by not using a 64-bit
prefix you will be protected against rogue RA.
The prefix length you define on your router will have no impact on a
rogue RA sent out. IPv6 hosts can have addresses from multiple
prefixes on the same link. Choosing to make use of a 120-bit prefix
(for example) will do nothing to protect against a rogue RA announcing
its own 64-bit prefix with the A flag set.
You can use a 64-bit prefix and not use SLAAC as well. SLAAC is used
only when the A flag is set. It just so happens that the majority of
router implementations have it set by default.
You still need to filter RA from unauthorized hosts. Currently, many
switches can accomplish this using a PACL on access ports. In the
near future, we will begin to see the RA Guard feature become standard
on enterprise switches.
Mind you, you should be filtering out rogue RA regardless if whether
or not you have deployed IPv6. Windows ICS sending RA is a widespread
problem (honestly wish Microsoft would remove ICS from the default
There are some things that will break by not using a 64-bit prefix.
SLAAC can't function without it. Privacy Extensions for SLAAC can't
If you make use of a longer prefix, then you need to use either manual
configuration or DHCPv6 for address assignment.
All standards-compliant implementations of IPv6 will work with
prefixes longer than 64-bit. In production, we make use of 126-bit
prefixes for link networks, and common use of 120 (and similar)
prefixes for host networks and they work perfectly.
That said, the only reason we don't make use of 64-bit prefixes for
host networks is in an effort (which may be futile) to mitigate
neighbor table exhaustion attacks. We still reserve a full 64-bit
prefix, allowing us to expand the prefix in the future without
disrupting service. The long term plan is to migrate to 64-bit
prefixes when routing equipment is better able to handle neighbor
table exhaustion attacks.
As for the comments on the use of multicast; multicast is a good
thing. On most devices is is no different than broadcast, but it adds
the information needed for more advanced hardware (e.g. managed
switches with MLD snooping) to only replicate the traffic to
interested parties. The elimination of broadcast traffic in IPv6 is a
good thing, and doesn't introduce any problem.
The (related) other comment made was using ARP with IPv6 instead of
ND. This also shows a poor understanding of how IPv6 works. ARP is
for IPv4, ND is for IPv6. There is no ARP for IPv6. ND has the
advantage that it actually happens over IPv6, rather than a lower
level or parallel protocol. This makes filtering such traffic and
designing hardware that is aware of it significantly easier. It will
be nice to reach a point where non-IPv6 traffic can be filtered and
dropped completely. Other than making use of the link-local scope and
using a multicast group instead of broadcast, ND is pretty much the
same thing as ARP.