ULA could be the next problem. Not only loose uRPF may be the problem in this case, but also infrastructure ACLs which deny ULA addresses from outside. RFC4193 4.3 says that packets from ULA addresses should be filtered at the border. If somebody sends ICMP "Packet too big" with an address from the ULA range as the source address it is expected that it will be dropped somewhere (at the border of the own network, at the border of the destination network or somewhere in a backbone between those two networks).
Now that's a different can of worms. If someone numbers their transit network with ULAs and sends ICMP errors from ULA space, they deserve what you can think up for them.
Enterprise IPv6 networks using PA space will (to avoid renumbering after an ISP change) and you'll see ICMP errors coming from them when the inbound IPv6 packets transit VPN tunnels. Ivan