-By default, nodes authenticate each other using 2048 bit RSA (or 521 bit
-ECDSA*) keys. Traffic is encrypted using Blowfish in CBC mode (or AES-256 in
-GCM mode*), authenticated using HMAC-SHA1 (or GCM*), and is protected against
-replay attacks.
-
-*) When using the ExperimentalProtocol option.
+Tinc 1.1 support two protocols. The first is a legacy protocol that provides
+backwards compatibility with tinc 1.0 nodes, and which by default uses 2048 bit
+RSA keys for authentication, and encrypts traffic using Blowfish in CBC mode
+and HMAC-SHA1. The second is a new protocol which uses Curve25519 keys for
+authentication, and encrypts traffic using Chacha20-Poly1305, and provides
+forward secrecy.