If we want end-to-end options to not be blocked by firewalls, the best
solution is to encrypt them. That is, run shim6 inside IPSEC, end to
end.
Say hello to key management...
I think trying to second-guess firewall admins is the wrong thing to
do. If they want to block shim6, why should we try to sneak by them?
If the initial shim6 packet gets back some kind of ICMP unreachable
or after several retransmissions there ins't an answer, we can just
continue to operate in backward compatibility mode without any loss
in connectivity. (Until there is a failure, of course.)