This section gives a brief description of the intended use of the option code and sub-option codes.
IAC WILL ENCRYPTThe sender of this command is willing to send encrypted data.
IAC WONT ENCRYPT
The sender of this command refuses to send encrypted data.
IAC DO ENCRYPTThe sender of this command is willing to receive encrypted data.
IAC DONT ENCRYPTThe sender of this command refuses to accept encrypted data.
IAC SB ENCRYPT START encryption-type IAC SEThe sender of this command is stating that at this point in the data stream, all following data will be encrypted using the encryption-type method of data encryption. An encryption-type of ANY must not be used. The current types of encryption will be listed in the current version of the Assigned Numbers document [19]. Only the sender of the WILL ENCRYPT may send this command and actually transmit encrypted data. If a START is received, and then a second START is received before receiving an END, the second START is assumed to terminate the first START command, and then begin a (possibly) new method of encryption.
It must be stressed that restarting encryption with the same key is a dangerous security hole. An active attacker could detect the restart sequence and replay old information. It should be used only after the session keys have been changed with the authentication option.
IAC SB ENCRYPT END IAC SEThe sender of this command is stating that at this point in the data stream, all following data will no longer be encrypted. If the ENCRYPT option has been enabled, and encrypted data is being received, the receipt of an ``IAC WONT ENCRYPT'' has the same effect as the receipt this command sequence.
IAC SB ENCRYPT SUPPORT encryption-type-list IAC SEThe sender of this command is stating what types of encryption it will support. The encryption-type-list is an ordered list of encryption-types, the first entry is the most preferred encryption type and the last entry is the least preferred encryption type. Only the sender of the DO may send this this command. If the receiver of the SUPPORT command does not support any of the encryption types listed in the SUPPORT command, it should send an IAC WONT ENCRYPT command to turn of the ENCRYPT option.
IAC SB ENCRYPT REQUEST-START encryption-type IAC SE
The sender of this command requests that the remote side begin encryption of the telnet data stream. The encryption-type value is a request for a specific type of encryption. If no specific type is needed, a value of ANY should be used.
IAC SB ENCRYPT REQUEST-END IAC SE
The sender of this command requests that the remote side stop encryption of the telnet data stream.