Lets say for some reason you need to update the handshake. Would this create a network partition? or do you have some way to handle it gracefully?

@wanderer yes I have a plan for this, but it isn't implemented yet.

The traditional design for upgradable protocol is to have a version and ciphersuit agreement in the handshake. However, this "algorithm agility" often leads to security problems, firstly it massively complicates the protocol (making auditing difficult) and often enables downgrade attacks.

The world has changed a lot since SSL was first designed. Back then new browser versions where distributed via hardcopy (CD from from your ISP). But now days we have evergreen browsers that automatically update.

Also, having a handshake in the protocol means we can never break the handshake. We are stuck with a handshake design that we must never change.

Assuming that we are building a p2p protocol, there are two things that differ from the situation TLS is in. 1) p2p apps must be engineered for reliability in the face of failure - if you cannot connect to some peers it's okay as long as you can still see others. 2) there is usually a lookup (DHT, gossip, etc) to go from a peer id (a pubkey) to address information (ip:port, etc)

So, my idea is to put the protocol version/ciphersuite in the lookup instead of the handshake.
to rollout an upgrade from weak to strong protocols, a peer simply opens another port using the strong protocol and advertises this via the lookup system, but still accepts weak connections on the previous port. Then one some threashold has been reached (say, that 90% of it's network supports the strong protocol) peers start to disable the weak protocol.

This means that the protocol is always simple and easy to audit, and we can perform an upgrade, but we don't expose ourselves to a crippling legacy.

Thank you for the explanation @dominictarr ! Putting the meta information in the peer discovery protocol makes the most sense to me to. The only other option I can think of is if the handshake fails to decrypt then try decrypting an older version. But that is pretty messy.