From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 7 Jul 2009 09:40:08 +0800

Hmm I deliberately didn't want to have this as the default because
I want whoever that enables it to think about the implications.
Having it on by default means that people will just set this up
without realising that they're leaving the packet unprotected by
checksums for a fraction of the path.

As I explained, it's almost impossible to use this without leaving
the packet unprotected at least in one direction.

Having said that I'm fine with turning this into a sysctl or some
global setting that's easier to enable.

Hmmm, aren't we talking about packets which were protected by either a
hash, strong encryption, or both at some point?