The enforcer can control traffic between processing units at different layers of the network stack.
At layer 3, it automatically adds the processing unit’s cryptographically signed identity during the
SYN/SYN->ACK portion of TCP session establishment (or by using UDP options in the case of UDP traffic).
At layer 4, it exchanges identities after a TCP connection is established, but before any data traffic is allowed to flow. In this case, it utilizes
TCP Fast Open to minimize the round-trip times needed to complete a robust authorization.