I'll have a go at translating that into English
“The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbours as legitimate ND times out.”
ARP is only valid on a particular switch on an internal network. It is not something that an external (internet) host should be able to mess with. Turns out you can make our switches melt by messing with inbound traffic that your systems thought they had requested because our switches simply believe what the traffic says rather than checking. As a result our funky protection mechanisms run out of resources that they were never really designed for. We fucked up, soz.