On Oct 15, 2006, at 5:44 PM, Thor Lancelot Simon wrote:

> On Sat, Oct 14, 2006 at 10:12:56PM +0100, Rui Paulo wrote:
>>
>> I would like to hear the opinions about enabling TCP RFC 1948
>> extensions (the code is already in tree for some years now).
>>
>> Any comments?
>
> This isn't turned on by default because it is very expensive.  It has
> been discussed several times in the past.

There is no option to enable it yet. And Jason hasn't been  
responsive ;-)

revision 1.108
date: 2001/03/20 20:07:51;  author: thorpej;  state: Exp;  lines:  
+126 -31
Two changes, designed to make us even more resilient against TCP
ISS attacks (which we already fend off quite well).

1. First-cut implementation of RFC1948, Steve Bellovin's cryptographic
    hash method of generating TCP ISS values.  Note, this code is  
experimental
    and disabled by default (experimental enough that I don't export the
    variable via sysctl yet, either).  There are a couple of issues I'd
    like to discuss with Steve, so this code should only be used by  
people
    who really know what they're doing.


I spoke with Steve Bellovin last week about this, but I'll let him  
explain what happened by his own words.

--
Rui Paulo