My dilemma is that I have a machine with 2 NICs and I need to be able
to turn off ipv6 on 1 of the NICs without a reboot.

I can block ipv4 traffic with no problems with this command:

ip route replace prohibit 10.0.28.0/24

If I try this command on ipv6, it just adds another entry for
3ffe:28::/64 with metric=1024:

ip -6 route replace prohibit 3ffe:28::/64 dev eth1

It didn't add a "prohibit" entry and I can still ping6 other ipv6
addresses.

I am an ipv6 newbie. This one is a killer. Windows ipv6 is just as
painful.