During a security blanket negotiation, the client supplies a security blanket which indicates the maximum level of security that the client can support. When the server receives this security blanket, it matches it against what it would accept. The server decides the minimum level of security which it will accept. If the client's security blanket levels are all above the ones expected by the client, the negotiation succeeds, otherwise negotiation fails.
This approach reduces network traffic down to a single round trip. This low overhead allows security negotiation on a very fine-grain level. For example, security negotiation can be performed on a 'per remote interface instance' level.