Why on earth would anyone use the 'top secret' option of IPv4?
The point of classification flags is that it tells routers what they are allowed to do with it. You wouldn't see classification flags on the open internet as they are handled by private government networks. What the flags do perform however is allow routers within the government network to determine if a packet should be allowed to bridge to a public or less secure network without having to understand what is within the packet.
Be sure to check out Falcon Momot's answer as well. It has some excellent additional depth.
The option is defined completely and finally in RFC1108, a historical RFC which would have been standards-track had that process existed at the time. Support for it is still advertised by Cisco and it seems by implication that the US DoD is still using it for something.
That said, there is no apparent equivalent in IPv6 at all, and I have never once seen this deployed. It is also not a particularly useful mechanism for protecting data except that it might mark sensitive traffic as unforwardable provided that the device which would otherwise forward it is compliant. It would certainly flag traffic as interesting, though there is likely to be a lot of noise and I'd imagine you wouldn't see any of it unless you were doing a packet trace on a classified network (at which point pretty well everything you see will be interesting).
However, as a packet filtering mark, it certainly would add more security than it would remove. In general, it is vastly more important to protect data than to hide metadata, and security by obscurity is no security at all. There are two uses for it which I can see:
- A link on a classified network carries traffic for multiple groups. Some devices are members of some groups but not others; the relationship is many-to-many and separate devices for each possible classification would be impractical. However, the network is airgapped from the rest of the world, and the mechanism is used as an additional line of defense similar to a VLAN. This is implemented in a device functioning like a layer 3 switch.
- A network is not airgapped from the outside world for some operational reason, and an additional line of defense against disclosure is desired. The border gateway discards all packets with an indicated classification.
In these regards, and in light of the RFC, it seems that it's extremely similar to VLANs without the encapsulation, and provides about as much security value.
I would gather, from the lack of any updates to the RFC in over 10 years, and the continued limited support for the specification in current hardware, that like so many other things in government IT, it is no longer a preferred mechanism, but is in use by certain legacy systems in some limited capacity.