DoS subsystem should compare IPv6 /64
Our internal DoS defense subsystem should also treat prefixes instead of addresses, because right now with a client with a /64 public IPv6 prefix assigned to it I could hammer via IPv6 guards without triggering the DoS defense.
We could make this change by:
- only putting the first /64 of each IPv6 address in the filter list, and
- only checking the first /64 of each new IPv6 connection