IPv6 allocation plan, security, and 6-to-4 conversion

[Eric Louie <elouie () techintegrity com>]

I'm putting together my first IPv6 allocation plan.  The general layout:
/48 for customers universally and uniformly
/38 for larger regions on an even (/37) boundary
/39 for smaller regions on an even (/38) boundary
A few /48's for "internal use" to allow us to monitor and maintain systems.

For security sake, do I need (am I better off) to "reserve" a "management
block" (/39, /40, /41 or something of that nature) that does NOT get
advertised into BGP to my upstreams, and use that for my device management
and monitoring address space?  In other words, make a small "private"
address space for management?  What are folks doing around that?

If I have to do 6-to-4 conversion, is there any way to do that with
multiple diverse ISP connections, or am I "restricted" to using one
entry/exit point?  (If that's true, do I need to allocate a separate block
of addresses that would be designated "6 to 4" so they'd always be routed
out that one entry/exit point?)