IPv6 presents a broad attack surface due to vulnerabilities in Neighbor Discovery, Router Advertisement, and ICMPv6 protocols, while its vast address space renders traditional IP-reputation-based defenses ineffective. This work proposes an edge-centric zero-trust data plane architecture that unifies defense against both internal and external spoofing and flooding attacks within a programmable data plane. The key innovation lies in front-loading identity trust verification through stateless per-packet validation, which enhances the accuracy of subsequent rate-based anomaly detection, and in establishing a unified defense framework covering four major attack classes. Implemented in P4, the system leverages critical techniques including prefix hop-limit bands, DAD-based address-to-port binding, and Count-Min Sketch sliding-window counting. Evaluations on BMv2 and Netronome NFP-4000 SmartNIC demonstrate the architecture’s scalability and practicality across 15 single- and multi-vector attack scenarios.

IPv6 dependability is increasingly inseparable from IPv6 security: Neighbor Discovery (ND), Router Advertisements (RA), and ICMPv6 are essential for correct operation yet expose a broad attack surface for spoofing and flooding. Meanwhile, IPv6's massive address space breaks per-IP reputation and makes many defenses either non-scalable or narrowly scoped (e.g., only internal threats, only RA abuse, or only volumetric floods). We propose a zero-trust edge architecture implemented in a single programmable data-plane pipeline that unifies four modules: external spoofing, internal spoofing, external flooding, and internal flooding. A key design choice is to enforce identity plausibility before rate plausibility: stateless per-packet validation filters spoofed traffic early so that time-window statistics for flooding operate on credible identities. We outline a concrete P4 design (prefix Hop-Limit bands, DAD-anchored address-port bindings, and Count-Min Sketch windowed counting) and evaluate it across a systematic 15-scenario suite spanning single-, dual-, and multi-vector compositions. We report results from a BMv2 prototype and validate the same pipeline on a Netronome NFP-4000 SmartNIC, and we discuss limitations and open directions.