I'm curious to know: what (attack) do you hope to protect against?
I would think that most attacks come in two fashions: the first being that you run a service of some kind and that there's some JSP/PHP/whatever exploit for a public facing service, and someone does a 'magic' PUT/GET that has the application server execute some code, which downloads a larger malware attack package. After which point the black hats start scanning from the inside.
The second being that someone clicks on a link in a phishing e-mail or executes some attachment, after which malware code starts scanning from the inside and phones home.
(A third being an insider attack, who presumably know about internal topology.)
What attack are you thinking to protect against by hiding subnet and VLAN topology?
And what are those vector(s)?
Besides compromising a machine that is already inside per the above (which can then do scanning / lateral moves), or perhaps physically getting inside the premises (in which case a scanner can be physically installed to examine the network), what attack are you protecting against?
Can you give me a link about an attack that knowing the topology of the network ahead of time would allow, but that not knowing would prevent?
the only thing you'd "leak" is the prefix, which is no different than a IPv4 WAN address that you'd get with a v4 NAT.
They’re obviously doing recommendations based on IP address. (And this is purely over ipv4).
Assuming you block unsolicited packets (that is, packets not related to existing connections/streams) at your border (the connection to your ISP), then outsiders won't be able to use tools like traceroute to learn anything. All that an outsider has is an IPv6 IP, and since you're not doing BGP with anything, all they'll know to do is to send the traffic to your ISP.
