Telnet Data Encryption Option(2)

　　The keyid is only advisory, and my be omitted.

　　IAC SB ENCRYPT REQUEST-END IAC SE

　　The sender of this command requests that the remote side stop　encryption of the telnet data stream. Only the side of the　connection that is DO ENCRYPT may send the REQUEST-END command.

　　IAC SB ENCRYPT ENC_KEYID keyid IAC SE

　　The sender of this requests that the remote side verify that　"keyid" maps to a valid key; or verifies that the "keyid" received　in a DEC_KEYID command is valid. If keyid is omitted, it implies　that there are no more known keyids, and that the attempt to find　a common keyid has failed. Only the side of the connection that　is WILL ENCRYPT may send the ENC_KEYID command.

　　IAC SB ENCRYPT DEC_KEYID keyid IAC SE

　　The sender of this requests that the remote side verify that　"keyid" maps to a valid key on the remote side; or verifies that　the "keyid" received in a ENC_KEYID command is valid. If keyid is　omitted, it implies that there are no more known keyids, and that　the attempt to find a common keyid has failed. Only the side of　the connection that is DO ENCRYPT may send the DEC_KEYID command.

　　3. Default Specification

　　The default specification for this option is

　　WONT ENCRYPT

　　DONT ENCRYPT

　　meaning there will not be any encryption of the Telnet data stream.

　　4. Motivation

　　The Telnet protocol has no form of protection from some intervening　gateway looking at IP packets as they travel through the network.

　　This is especially dangerous when passwords are sent as clear text　over the network. This option provides a method for encrypting the　data stream.

　　5. Implementation Rules

　　Once the Encryption option is in effect, all data in the negotiated　direction, including TELNET options, is encrypted. Encryption begins　with the octet of data immediately following the "IAC SB ENCRYPT　START encryption-type IAC SE" command. Encryption ends after the　"IAC SB ENCRYPT END IAC SE" command.

　　WILL and DO are used only at the beginning of the connection to　obtain and grant permission for future negotiations. The ENCRYPT　option must be negotiated in both directions.

　　Once the two hosts have exchanged a WILL and a DO, the sender of the　DO ENCRYPT must send a ENCRYPT SUPPORT command to let the remote side　know the types of encryption it is willing to accept. In the　request, a list of supported encryption schemes is sent. Only the　sender of the DO may send a list of supported encryption types (IAC　SB ENCRYPT SUPPORT encryption-type-list IAC SE). Only the sender of　the WILL may actually transmit encrypted data. This is initiated via　the "IAC SB ENCRYPT START IAC SE" command, and terminated via the　"IAC SB ENCRYPT END IAC SE" command. If a START is received, and　then a second START is received before receiving an END, the second　START is ignored.

　　If the sender of the DO would like the remote side to begin sending　encrypted data, it can send the "IAC SB ENCRYPT REQUEST-START IAC SE"　command. If the sender of the DO would like the remote side to stop　sending encrypted data, it can send the "IAC SB ENCRYPT REQUEST-STOP　IAC SE" command.

　　If the receiver of the SUPPORT command does not support any of the　encryption types listed in the SUPPORT command, it should send an　"IAC SB ENCRYPT IS NULL IAC SE" to indicate that there are no　encryption types in common. It may also send an IAC WONT ENCRYPT　command to turn off the ENCRYPT option.

　　The order of the encryption types in a SUPPORT command must be　ordered to indicate a preference for different encryption types, the　first type being the most preferred, and the last type the least　preferred.

　　If the ENCRYPT option has been enabled, and encrypted data is being　received, the receipt of an "IAC WONT ENCRYPT" implies the receipt of　an "IAC SB ENCRYPT END IAC SE", e.g., the Telnet data stream is no　longer encrypted.

　　The following example demonstrates the use of the option:

　　Host1 Host2

　　[ Host1 requests Host2 negotiate the encryption of data that　Host2 sends to Host1. Host2 agrees to negotiate the encryption　of data that it sends to Host1. ]

　　DO ENCRYPT

　　WILL ENCRYPT

　　[ Host1 requests that Host2 enable encryption as soon as the　initialization is completed, and informs Host2 that is supports