Ban by /64 by default instead of /128

I realized just now that, with the introduction of IPv6, we really should ban on a /64 instead of a /128 for IPv6 addresses. This matters because of IPv6 privacy extension, where a link-local address is randomized every time during router solicitation to prevent an IP address from being used for tracking. This is the default on most systems nowadays, and that effectively means than if a /128 is banned, circumventing it is as easy as just disconnect and reconnecting to the network to get a new link-local address. However, only the last 64 bits are randomized, since the first 64-bit is what the global IPv6 address contains, and thus follows standard address leasing rules just like IPv4.