The present invention provides methods and apparatus for classifying and
demultiplexing packets in a network protocol stack. It provides
extendibility for packet processing in the network protocol stack by
defining a standard method for adding new functionality. It provides a
method to obtain external information, from an application scheduled
outside of the forwarding or interrupt context of the kernel, in order to
augment packet classification and/or augment packet disposition. In some
embodiments, external information augments a criteria of a node in a
classification tree with additional information. It presents a way of
augmenting which suspends the classification process until an
application, scheduled outside of the forwarding or interrupt context of
the kernel, completes. The resulting external information is used to
augment the packet classification. In some embodiments of the method, the
external information includes authentication of an originator of the
packet by correlating a tunnel id with a userid, and/or using s/ident for
out of band authentication. The classification process enables
enforcement of a site policy.