how not to implement tcp md5sig


FreeBSD, 2006ish
only attach md5 signatures on outgoing packets
do not bother checking on the receive side...

Cisco
apparently, they check md5 signatures _before_ the regular tcp stuff (sequence number!)
the cheapest checks last...

Apparently only Juniper and OpenBSD got this right from the beginning. astounding.