The "legal reasons" alluded to are mostly problems with other signers on the contract for our upstream bandwidth provider. *coughDuckscough* At our bandwidth scale, tunneling is not feasible.
Indeed, tunneling IPv6 at our scale would be quite silly.
We don't run Puppet at the moment, we run CFEngine. Everybody's receiving Puppet training and there's a slow-yet-steady migration to Puppet, but these things take time. There are quite a few people depending on us to not fuck up, so we don't change our stacks without deliberation and testing.
We've been using CFengine since nearly the day we started so we have a collection of CFengine recipes that go back 5-6 years. Its going to take a while to get everything in a state considering there's only one full-timer (me) and 4-6 undergraduate students. Granted we're working on just getting a bootstrap set of modules done first (which is almost completed). Additionally we're writing our modules so that they are reusable (which takes more time) for other people and plan to post them on puppetforge eventually.
Trying to work on that plus keep up on regular maintenance, new projects, misc fires, conferences, etc all adds up. We do a pretty good job of keeping up on tasks but we do fall behind sometimes. We take pride that we run a pretty tight ship and want to continue that moving forward.