In message <Pine.NEB.4.02.9811131052080.14559-100000@pc1.whooppee.com>  Paul Goyette wrote:
> Since I raised one of the first objections, let me be one of the first
> to repent!  :)

There is nothing bad about the option in general, but it just
adds one more sysctl you have to check when something doesn't work
as exepected, and when it is turned on, you get a warm an fuzzy feeling
of being secure, but the backdoors are still open.
Turning on strong doesn't buy anything if src-routing is still
enabled, the way the patch was implemented routing needs to be turned of
too.
Thats already four sysctl settings needed to go somewhere. If I use ipf I know
it complicated, if there is a sysctl variable calls stronged-system,
you need to know the implementation to know which other variables
to tweek too.
That reminds me of other famous storages for options with unkown
relations, M$Soft Windoze Registry ... 

I think in this case it may make sense to create a userlevel program
which creates the set of sysctls needed for a given security level.

(I'm not complaining abou kernel-bloating ... I'm loading a
LKM 2/3 of the kernel size ...)


[...]

Stefan
--
Stefan Grefen                                Tandem Computers Europe Inc.
grefen@hprc.tandem.com                       High Performance Research Center
 --- Hacking's just another word for nothing left to kludge. ---