End user devices will not benefit from end-to-end connectivity (e.g., globally routeable IPv4 addresses as opposed to being in a RFC1918 space behind NAT). If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then adding in an explicit record, x.example.edu AAAA 2001:db8::5, will make no visible difference. There is no legitimate reason for a user to use BitTorrent (someone will probably disagree with this). Our organization is not running out of IPv4 addresses so we don't need IPv6. (Similarly: Our orginization is running out of IPv4 addresses so that's why we need IPv6.) I can't use IPv6 because I still need to serve IPv4 clients. Any IP that starts with 192 is a private IP and any IP that starts with 169 is a self-assigned. Authentication by client IP address alone is sufficient. Long passwords requiring letters, numbers, and symbols with a no-repeat policy and a 90-day maximum password age are very secure. +1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping the box so it must be down.") +1 for "NAT is security". Regarding "DNS only uses UDP", I give out a technical test during interviews and one of the questions is basically "Use iptables to block incoming DNS traffic" and all applicants so far have only blocked UDP port 53.