how do I stop protocol 41 unreachable packets from being sent?
as noted in the updates to the question, the problem is that after the kernel passes the packet to whatever raw sockets are listening on that protocol, it then hands it off to any kernel modules registered for that same protocol. since I had been using a sit tunnel on my netbook, the tunnel4 module was still loaded even though I had temporarily set up the tb_userspace tunnel for testing; so since it was registered, but no handlers were configured, it rejected the packets with the ICMP 3:3 message. rmmod sit
followed by rmmod tunnel4
solved that problem.
on the original problem server, it wasn't so easy since it's an openvz VPS with a monolithic kernel as seen by the client "boxes". but armed with the information from http://linux.die.net/man/7/raw and http://www.haifux.org/lectures/217/netLec5.pdf I was able to work with the provider to solve the problem. in this case, they re-installed the sit module so I didn't have to use the tb_userspace tunnel software at all. but I suspect the problem was that tunnel4 was installed there as well.
It looks like tektonic does not have the address 2001:470:1f0e:12a7::2 assigned to its venet0 interface. It is receiving the packets and rejecting them even though they are well-formed.
Your next step should be to verify that tektonic can establish TCP connections to IPv6-only hosts such as ipv6.google.com, and that the packets indeed travel to the configured Hurricane Electric relay host via IPv4 encapsulation. If TCP gets through but ICMP does not, then it is definitely an endpoint filtering problem (i.e. firewall rules).