I still defend the idea of the diffserv "squash" option cake once had. It was essentially RFC compliant, simple to use, and because iptables was too late on inbound, needed, no matter the layer violation.