End user devices will not benefit from end-to-end connectivity (e.g.,
globally routeable IPv4 addresses as opposed to being in a RFC1918
space behind NAT).
If I have a wildcard DNS record, *.example.edu AAAA 2001:db8::5, then
adding in an explicit record, x.example.edu AAAA 2001:db8::5, will
make no visible difference.
There is no legitimate reason for a user to use BitTorrent (someone
will probably disagree with this).
Our organization is not running out of IPv4 addresses so we don't need
IPv6. (Similarly: Our orginization is running out of IPv4 addresses so
that's why we need IPv6.)
I can't use IPv6 because I still need to serve IPv4 clients.
Any IP that starts with 192 is a private IP and any IP that starts
with 169 is a self-assigned.
Authentication by client IP address alone is sufficient.
Long passwords requiring letters, numbers, and symbols with a
no-repeat policy and a 90-day maximum password age are very secure.
+1 for "We should drop all ICMP(v6) traffic." (Related: "I can't ping
the box so it must be down.")
+1 for "NAT is security".
Regarding "DNS only uses UDP", I give out a technical test during
interviews and one of the questions is basically "Use iptables to
block incoming DNS traffic" and all applicants so far have only
blocked UDP port 53.