In a network, network nodes are vulnerable to attacks and/or backdoors that allow an attacker to remotely control a network node and/or to steal data traffic from the network node, resulting in loss of data and privacy. For example, an attacker may employ a forwarding network node to exploit transit traffic that is sent through a network. Transit traffic refers to data traffic that passes through a forwarding network node without terminating at the forwarding network node. Non-transit traffic refers to data traffic that terminates at the forwarding network node. Data packets may be taken from the forwarding network node and copied or sent to another destination. For instance, an attacker may tamper with an existing packet header (e.g., modifying an Internet Protocol (IP) address) or encapsulate a data packet with a new packet header (e.g., using IP in IP addressing).
To increase security, a network operator may use hop-by-hop encryption which provides packet confidentiality over network links, but does not provide packet confidentiality within a network node. Alternatively, a network operator may use site-to-site encryption which provides confidentiality over both network links and within transit routers. However, site-to-site encryption does not encrypt packet header information, and does not prevent protected traffic from being stolen for further analysis, for example offline decryption. End-to-end encryption may be used by a traffic owner to provide payload confidentiality. However, end-to-end encryption does not provide confidentiality for packet headers or traffic metadata and does not prevent encrypted traffic from being stolen for further analysis.