As a side-note, a fifth SL option was presented "out of the blue" in SFO,
namely exclusive SL/global addressing (one or the other only), which,
because it was rather a "broken" idea, I think perhaps added to the room
sentiment that site-locals are broken (rightly or wrongly :)
well, it was something that hadn't been suggested yet, so I don't blame them
for trying. but what became clear after looking at all of the different ways
of limiting usage of site local side-by-side is that every way of restricting
site locals still leaves us with a mess. the only set of restrictions that
avoids leakage and/or requiring apps to be aware of network topology is to use
SLs only on isolated networks, and experience with RFC 1918 strongly indicates
that this doesn't work well in practice.