From: "Adam Langley" <redacted>
Date: Tue, 17 Jun 2008 17:45:52 -0700

How's this:

If we receive a SYN packet with MD5 + SACK + TS was assume that it's
from an older kernel and reply with MD5 + TS. Not including SACK means
that it won't send us corrupt packets and since we couldn't previously
do SACK with these packets anyway, we're not loosing anything.

We should reject invalid packets, even those created by
Linus, regardless of the ramifications of such.

If we drop such frames, things will reset and a timeout
based retransmission will occur.

I don't see any value in trying to recognize these
invalid frames.  We should instead just fix the part
of Linux that emits the bogus packets to begin with.