There is plenty of space available in the form of (normally unused) payload of TCP SYN, SYN/ACK, and ACK packets. Could they be used to announce the intention/capabilities for an encrypted connection, eventually serve for authenticating the connection? This way there would be virtually no overheads in the connection in the case one of the sides doesn't offer opportunistic crypto; the packet payload data would get ignored in that case. For UDP connections, handshake using ICMP packets in a ping-like scenario could be possible; send ICMP_ECHO_REQUEST to the server with the payload containing a handshake request. If the ICMP_ECHO_REPLY returned contains the handshake acknowledge, proceed, otherwise assume the server doesn't speak our dialect of OE. Opinions, comments? Why this wouldn't work?