by merging it with the version packet. Or more accurately, by merging it with the first packet sent after garbage termination, which may be a decoy packet or the version packet.
The new protocol simplifies implementations:
- A protocol state machine won’t need separate states for garbage authentication and version phases.
- The special case of “ignoring the ignore bit” is removed.
- The freedom to choose the contents of the garbage authentication packet is removed. This simplifies testing.
The reason for having a separate garbage authentication packet was to materialize the separation of the key exchange phase and version negotiation phase even in the bytestream on the wire. However, this is not necessary, and arguably, these phases are still properly separated: Since the AEAD will ensure that AAD (=garbage) is checked before looking at the contents (=version), the peers won’t interpret version data before having authenticated the garbage.