Abuse scenario 1: play with IPv6 destination

Badguy: packet with ::20.1.1.255 in IPv6 destination
Auto tunnel relay node encapsulates to it
Will be encapsulated into IPv4 packet to 20.1.1.255 -> unwanted broadcast

RFC1933 has no protection
mech-04 has protection against it, but not enough
We have no idea about remote broadcast addresses