MvdV>> 1) "WAN address" is IPv4 NAT speak. In IPv6 one has link local MvdV>> addresses and globally unique routable addresses. MvdV>> 2001:470:70:bf5::1 is a globally routable address.
MR> For me, a WAN address is any address on an interface facing WAN.
OK...
MR> Therefore his tunnel endpoint is a WAN address. 2001:470:71:bf5::1 MR> seems to be his node's LAN address.
By your definition that address qualifies. The problem is that /every/ globally routable IPv6 address qualifies. 2001:470:71:bf5::1 qualifies as well.
With IPv4 it is clear where the LAN ends and the WAN start. At the NAT. Or more precise: with IPv4 after the coming of NAT. Because before the coming of NAT the usual IPv4 situation was similar to what we now have with IPv6. Every node had a globally routable address. One could argue that the LAN is defined by the subnet, but where does the WAN begin? I would argue that every node with a routable global address is part of the WAN, and hence its address is a WAN address by your defintion.
MvdV>> 2) 2001:470:70:bf5::1 is the he.net tunnel endpoint. His binkp MvdV>> server does not answer on that address.
MR> Yep.
MvdV>> 3) 2001:470:70:bf5::2 is the tunnel end point on his end. His MvdV>> binkp server answers on that address because it so happens that MvdV>> the tunnel end point and the binkp server run on the same host. MvdV>> But this is coincidence. He could move the tunnel end point to MvdV>> another device on his LAN and then it would no longer work.
MR> He would just have to update the AAAA record.
Yes, no big deal, but it could be avoided by not using that address in the first place and use 2001:470:71:bf5::1 instead.
MvdV>> 2001:470:71:bf5::1 is the address of the interface that MvdV>> connects the system that runs his binkp server to the MvdV>> 2001:470:71:bf5::/64 subnet. IMNSHO that should be the address MvdV>> to connect to his binkp server. That keeps working if he moves MvdV>> the tunnel end point to his router or another host on the same MvdV>> subnet.
MR> In this case I would assign a service IP address, which could be moved MR> around easily, and not use the ::1 LAN address, which might be the MR> gateway for the LAN.
Instead of "LAN" I would prefer the term "subnet". But you have a point. Although there is no hard rule that says ::1 is to be a special case reserved for a gateway, it would be preferable to use something else for a server on that subnet.