The idea of advertising opportunistic crypto presence in TCP/SYN inspired me to another one: authenticated connection handshake for TCP protocol. Scenario: Application listening on port P of server S, only for authenticated users. Unknown user sends TCP/SYN to S:P, gets back TCP/RST, with challenge in MD5 field of TCP options. The user doesn't support this scheme, so considers the port closed. Unknown-now known user sends TCP/SYN, gets back TCP/RST with the challenge, sends another TCP/SYN, this time with calculated response using a shared secret, again in TCP MD5 option field, gets back TCP/SYNACK. The random challenge should be sent back in all TCP/RST packets, otherwise port scanning will still be possible. Is it a good idea? Could it work? Why not?