How about a flag that can be passed via ifconfig to disable the implicit up? Then netstart could use it to enaure that an interface is only brought up after it has finished configuration (which *is* a problem for pppoe and carp at least) and it suits people's finger memory for ifconfig?
Of course keeping auto-up in any form only solves the actual user-facing problem and doesn't make it easier to cope with the kernel side for locking.
