In some email I received from Stefan Grefen, sie wrote:
[...]
> There is nothing bad about the option in general, but it just
> adds one more sysctl you have to check when something doesn't work
> as exepected, and when it is turned on, you get a warm an fuzzy feeling
> of being secure, but the backdoors are still open.
> Turning on strong doesn't buy anything if src-routing is still
> enabled, the way the patch was implemented routing needs to be turned of
> too.
> Thats already four sysctl settings needed to go somewhere. If I use ipf I know
> it complicated, if there is a sysctl variable calls stronged-system,
> you need to know the implementation to know which other variables
> to tweek too.

I don't think the name has helped here.  On Solaris, the name for this
variable is:

ip_strict_dst_multihoming

which is much more accurate.  The function isn't TCP sepecific and if
we could copy Solaris's name, I'd like to see a

net.inet.ip.strict_dst_multihoming

I guess, strictly speaking, it has nothing to do with security derived from
packet filtering.  It is primarily aimed at enforcing local communications
to be directed towards the correct IP addresses when you have a server which
is connected to multiple (sub)networks.

Darren

p.s. please check and edit the CC list (although I'm maybe the only one not
     on tech-net).