

NRL IPv6 Software Distribution, "Alpha-2-quality" release:

  This is an "alpha-2-quality" release.  It is not 100% complete yet,
though large sections of IPv6 are now implemented.  It has NOT been
extensively tested and it does definitely need extensive testing.  Our
local SPARC and i486/i586 kernels based on this software (which have
INET6, IPSEC, INET6_DEBUG, IPSEC_DEBUG, and KEY defined) are
relatively stable but it is probable that the software contains 
undiscovered bugs that will crash the kernel.  There are a number
of known bugs.  These bugs include at least the following:

(0) Because of time constraints, diffs (save for the sys.intel/ files,
    which have to be) are not available for this release.

(1) We have not used any formal software assurance techniques in
   developing our implementation.  We believe that our ESP/AH
   implementation mostly works as intended, but we do NOT claim
   that it provides adequate security for any user.  Users who
   plan to rely on the security of our implementation need to
   make their own efforts to verify that our code does what they
   want it to do.

(2) There is a specific known bug when ESP is used with IPv4 and
   fragmentation occurs.  The outbound processing seems fine.
   The inbound processing seems to go OK until the packet is handed
   up to an upper-layer protocol (UDP or TCP).  At that level,
   the UDP or TCP checksum fails because there are 8-24 bytes of
   corrupted data beginning about (first fragment size) bytes 
   into the packet.  This won't crash the system, but can be
   discerned by data not reaching applications and examination
   of the relevant per-protocol statistics from the kernel.
   We are are not sure if the problem is still there.

(3) Performance is slower over IPv6 than over IPv4.  This is expected
   for this release.  We will enhance performance in future releases.
   Known reasons that we are slower right now include:
	ipv6_preparse(), 
	lack of any optimisation efforts on the IPv6 side, 
	years of optimisation by others on the IPv4 side, 
   	and security checks both inbound and outbound.

(4) If an IPv4 socket is listening on a port with a wildcard address, an
    IPv6 socket cannot listen on the same port.  This may be more of a
    feature than a bug, given that IPv6 sockets can communicate using IPv4
    and the ::FFFF:<v4-address> address format.

(5) Expiration of AH and ESP keys has yet to be implemented.  Once a key has
    been added to the kernel, it remains in the kernel and is usable until it
    is explicitly deleted by a user-level program like key(8).  There is an 
    exception, however, for keys allocated to sockets requesting unique-
    keying.  Since these keys cannot be used by any other sockets, they are 
    deleted from the kernel key table when the requesting socket is closed  
    and freed.  There is better support for this now, but it is still not
    complete.

(6) Ideally, IPsec should be separate from IPv6, we started toward this, but
    could not finish it.  If you want a v4-only kernel with our source,
    comment our INET6, IPSEC, INET6_DEBUG, KEY, and IPSEC_DEBUG in your config
    files.

(7) Prefixes snarfed from router advertisements are permanent.

(8) The testing on this release was not as thorough as the previous releases
    testing.
